2014-01-09 - DOTKACHEF EXPLOIT KIT

ASSOCIATED FILES:

 

NOTES:

The DotkaChef exploit kit was discovered sometime in the first half of 2013, and EmergingThreats started releasing signatures on this EK as early as 2013-06-29:

In recent weeks, this exploit kit appears to have gained a little more prominence, because a few blog posts and articles have appeared last month (December 2013).  The two below are a good example of what I've seen:

Today, I happened across two compromised web sites that generated traffic to a DotkaChef EK domain.  Let's take a closer look at these infections.

SNORT EVENTS

I used Security Onion to monitor a vulnerable VM running a 32-bit version of Windows 7 with Java 6 update 25.  The infection traffic generated the following events in Sguil:


Screen shot of Sguil events for this infection.

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS:

INITIAL INFECTION CHAIN:

 

INFECTION TRAFFIC DETAILS

IP address: 31.200.243.55 port 80
domain name:
HTTP request: GET /

Screenshot of traffic:

 

IP address: 31.200.243.55 port 80
domain name:
HTTP request: GET /banners/www/delivery/ajs.php?zoneid=1&cb=8610467512&charset=iso-8859-1&loc=http%3A//www.psicologia-online.com/&
referer=http%3A//www.google.com/url%3Fsa%3Dti%26rct%3Dj%26q%3D%26esrc%3Ds%26frm%3D1%26source%3Dweb%26cd%3D1%26ved%3D
0CC0QFjAA%26url%3Dhttp%253A%252F%252Fwww.psicologia-online.com%252F%26ei%3D84XPUqvNA8qssATehoC4DQ%26usg%3DAFQjCNF
5fU5nLL-DCfMPttRGaQO22GdgMw%26bvm%3Dbv.59026428%2Cd.b2I

Screenshot of traffic:

The script that's returned is JJencoded.  Kahu Security has a well-written article describing this obfuscation technique (see http://www.kahusecurity.com/2013/jjencode-script-leads-to-drive-by/ for details).  In this case, the JJencoded global variable name is $a, but there's other obfuscation here that I haven't been able to figure out.

 

IP address: 103.31.186.40 port 80
domain name: seris.biz
HTTP request: GET /20a958bc.js?cp=www.psicologia-online.com

Screenshot of traffic:


This is the redirect that generates a 302 Found to the DotkaChef exploit domain.

 

IP address: 69.89.31.213 port 80
domain name: kanon-finale.com
HTTP request: GET /public/js/3rd_party/calendar_date_select/locale/0277201945/==wMw1mLiBnb8JTOyATM1YT N3YDO4gMDN89SN0kTMwIzN3IDMvUGbhN2
bs9CdjVGblN3XlRXYk9lchRmblxWYj9Se0JXYw9FZyNzLzp2LjlGbiVHcv02bj5SZsFmbpZWLu9mbht2LvoDc0RHa8NnZ

Screenshot of traffic:


This landing page has more JJencoded Javascript.  The global variable is $$ but once again, there's some additional obfuscation
that prevents me from decoding this.

 

IP address: 69.89.31.213 port 80
domain name: kanon-finale.com
HTTP request: GET /public/js/3rd_party/calendar_date_select/locale/0277201945/?f=s&k=4888675651029212

Screenshot of traffic:


This is the Java exploit.

 

IP address: 69.89.31.213 port 80
domain name: kanon-finale.com
HTTP request: GET /public/js/3rd_party/calendar_date_select/locale/0277201945/?f=npb.mp3&k=4888675651029223

Screenshot of traffic:


This is the EXE payload.

 

ANOTHER INFECTION

For comparison, here's another VM infection from another site earlier the same day (2014-01-09):

ASSOICATED DOMAINS:

CHAIN OF EVENTS:

ARTIFACTS FROM THE TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 85.93.134.203 port 80 (www.grad.ru):

https://www.virustotal.com/en/file/1fa1be6254afe97b4c16d4ad17493e339616ed76750c5c9e964c4d6c962ec0ab/analysis/1389303190/

File name:  2014-01-09-DotkaChef-java-exploit.jar
File size:  10.5 KB ( 10727 bytes )
MD5 hash:  e9f693dd04b6ebd64f9f7a18daca2387
Detection ratio:  5 / 48
First submitted:  2014-01-09 21:33:10 GMT

Kaspersky identified the Java exploit as CVE-2013-2423 which matches the Contagio list of exploits for the DotkaChef EK (see http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html).

Java archive contents:

 

EXE payload from 85.93.134.203 port 80 (www.grad.ru):

https://www.virustotal.com/en/file/b7b4d2274bcfc8a9c9c443589d720fa5bbcde3eefbb12f32d777d1d46159b1c3/analysis/1389303108/

File name:  2014-01-09-DotkaChef-EXE-payload.exe
File size:  98.2 KB ( 100537 bytes )
MD5 hash:  0e7df6da243add3c86cdd450e09a0b2d
Detection ratio:  18 / 47
First submitted:  2014-01-09 15:19:37 GMT

Malware information:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.