2014-01-13 - GOON EK USES MSIE EXPLOIT TO DELIVER TROJAN DOWNLOADER

ASSOCIATED FILES:

 

NOTES:

I'd already looked at the Goon EK (Redkit v2.0) in this post, and I ran across it again when browsing scumware.org for compromised websites to generate infection traffic.  Unlike last time, this particular infection used an MSIE exploit to deliver the malware.

In this case, the compromised website was pave-right.co.uk, which had been reported as having a malicious iFrame earlier that day:

Let's look at the traffic...

 

SNORT EVENTS

I used Security Onion with the default signature set to monitor the traffic.  The infected host was a VM running an unpatched installation of Windows 7 SP1 32-bit, IE 8, Adobe reader 10.0.0, and Java 7 update 4.

 

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS:

INFECTION CHAIN:

 

EXPLOIT TRAFFIC DETAILS

IP address: 194.150.252.94 port 80
domain name: pave-right.co.uk
HTTP request: GET /

Screenshot of traffic:

 

IP address: 176.31.24.102 port 80
domain name: none
HTTP request: GET /post.php?id=3723139643

Screenshot of traffic:

 

IP address: 66.147.244.98 port 80
domain name: doyouknowfitness.com
HTTP request: GET /analyzer1.aspx?function_sum=v&publish=txt&last_app=html

Screenshot of traffic:

 

The image above shows a VML integer overflow, similar to an article on the Malware don't need Coffee blog located here.  That article states Yonathan Klijnsma saw a VML integer overflow used to send IE exploit CVE-2013-2551 in November 2013.  I don't know if this is the same exploit, but it's definitely exploiting an Internet Explorer vulnerability.  In the image below, an obfuscated EXE payload is sent with the user agent listed as: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

IP address: 66.147.244.98 port 80
domain name: doyouknowfitness.com
HTTP request: GET /927.mp3/1458.mp3

Screenshot of traffic:

The EXE payload was obfuscated or otherwise encoded, in the same manner as the last time I reviewed the Goon EK.  Characteristics of the decoded file are:

 

In addition to the MSIE exploit, the Goon EK domain sent a .JAR file as well.  The .JAR file is normally a Java exploit, but I didn't see any associated malware in the PCAP.

IP address: 66.147.244.98 port 80
domain name: doyouknowfitness.com
HTTP request: GET /sources/201401/json/rarupdater.txt

HTTP request: GET /sources/201401/json/rarupdater.jar

Screenshot of traffic:

Java archive contents:

 

Below is the HTTP GET request for the second-stage malware downloaded by the original EXE payload.

IP address: 178.149.185.135 port 80
domain name: none
HTTP request: GET /mod2/gnomrea.exe

Screenshot of traffic:

Characteristics of the second-stage malware:

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-01-13-Goon-exploit-EXE-payload.exe
File size:  37.5 KB ( 38416 bytes )
MD5 hash:  1ea8b78e7266a1d32761f2e4cde1c0b7
Detection ratio:  2 / 48
First submission:  2014-01-13 04:44:42 GMT
Malwr analysis:  https://malwr.com/analysis/ZjY4NjQwNThmNGE3NGM0MGE3MjM4YjViOGM0NTUyNzU/
Virus Total:  https://www.virustotal.com/en/file/793ffd7c1f099ac69f0394abc4fb4c6b198c5bd2b2f4ca3c7639622626b332a1/analysis/1389588282/

File name:  2014-01-13-second-stage-download.exe
File size:  826.0 KB ( 845840 bytes )
MD5 hash:  df902d85a5aebee35007be327e9f54d2
Detection ratio:  10 / 47
First submission:  2014-01-13 04:45:05 GMT
Malwr analysis:  https://malwr.com/analysis/MzA3ZWY2MWQ3MzA4NDk1OGE4MGE0ZjQ1YTExYzY1YWQ/
Virus Total:  https://www.virustotal.com/en/file/1a39cf9c36311cda47e9dae0b52b550c866c193b3ce739a18a74111117cf08a0/analysis/1389588305/

File name:  rarupdater.jar
File size:  20.2 KB ( 20646 bytes )
MD5 hash:  c5491fcba22492c92b573590fcf6be3f
Detection ratio:  2 / 47f
First submission:  2014-01-10 14:08:41 GMT
Malwr analysis:  https://malwr.com/analysis/ZTEyNTYzZDUzZWU2NDEzNGEyNmVjY2NkZjhiZjU1NWI/
Virus Total:  https://www.virustotal.com/en/file/e65fd0090bd04fb2f239acd1d443879f06c440e745fb0539e4ab53e64e9e2f23/analysis/1389588377/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.