2014-02-02 - NEUTRINO EK USES CVE-2013-0074 (SILVERLIGHT EXPLOIT)

ASSOCIATED FILES:

 

NOTES:

I found Neutrino EK using a Silveright exploit today.  Included are PCAPs for two different infections--one for infection by the Silverlight exploit, and another by the same domain using a Java exploit.

DETAILS

SNORT EVENTS FOR SILVERLIGHT EXPLOIT ON 2014-02-02 (FROM SECURITY ONION)

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS FOR SILVERLIGHT EXPLOIT

 

CHAIN OF EVENTS FOR SAME MALWARE PAYLOAD USING A JAVA EXPLOIT

NOTE: The chain of events from the compromised web site to the Neutrino EK domain is the same as shown above.  The EXE payload is also the same.

 

PRELIMINARY MALWARE ANALYSIS

File name:  2014-02-02-Neutrino-EK-silverlight-exploit.xap
File size:  5.1 KB ( 5210 bytes )
MD5 hash:  ce056895e07d2a9d04c5e8db844013ea
Virus Total link:  https://www.virustotal.com/en/file/8bd2cd6a40ad378a974b20e6b0ae49ba4715cd81b96c667c2627f14eab08bc50/analysis/
Detection ratio:  4 / 50
First submitted:  2014-02-02 18:44:37 UTC

 

File name:  2014-02-02-Neutrino-EK-java-exploit.jar
File size:  556b926e4fb68e255993696691f8e48b
MD5 hash:  18.8 KB ( 19265 bytes )
Virus Total link:  https://www.virustotal.com/en/file/dca6b3d8e2ae52d5994bc052b2d2b566c711b53fc8acbab5856115e022bf4411/analysis/
Detection ratio:  0 / 50
First submitted:  2014-02-01 00:30:13 UTC

 

File name:  2014-02-02-Neutrino-EK-malware-payload.exe
File size:  266.2 KB ( 272551 bytes )
MD5 hash:  bec79bed374f4853fbd70209ddeab8d6
Virus Total link:  https://www.virustotal.com/en/file/267630f17f204141cf9e1fd4768414e8f738c0e84122692c5b677d9d7cffe68c/analysis/
Detection ratio:  8 / 49
First submitted:  2014-02-02 18:45:02 UTC

 

POST INFECTION CALLBACK TRAFFIC

The malware gave an error while running from the VM, so I set up a physical host to see what the callback traffic looks like.  On the physical host, the malware copied itself to C:\Users\User-1\AppData\Roaming\Deylro\aqum.exe and updated the following registry key:

Registry key:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name:  Uxwaol
Value data:  C:\Users\User-1\AppData\Roaming\Deylro\aqum.exe

Here are the snort events generated from the infected physical host:

Some of the callback traffic seen from the infected physical host:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.