2014-02-22 - THREE INFECTION CHAINS FROM ONE COMPROMISED WEB SITE

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

COMPROMISED WEBSITE AND REDIRECTS

FIRST NUCLEAR EK CHAIN

SECOND NUCLEAR EK CHAIN

NEUTRINO EK CHAIN

POST-INFECTION ASPROX-STYLE CALLBACK CAUSED BY NEUTRINO EK INFECTION

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT SEEN FROM NUCLEAR EK

File name:  2014-02-22-Java-exploit-from-Nuclear-EK.jar
File size:  14.5 KB ( 14803 bytes )
MD5 hash:  d46f11e559a7a10f88f3ab2ab5d301a6
Detection ratio:  0 / 50
First submission:  2014-02-22 05:55:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ff34f2816d72e538ef70ba7ec1fa59212d33c655894d57380e05f1508b6ce5d/analysis/

 

FIRST MALWARE PAYLOAD FROM NUCLEAR EK

File name:  2014-02-22-malware-payload-from-ksrqm.fieldingclerk.in.net.exe
File size:  40.0 KB ( 40960 bytes )
Detection ratio:  4 / 50
MD5 hash:  eb8d0ec539c5901e3fdbc36e7acd3a03
First submission:  2014-02-22 06:41:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1a7d32e41ea34edf5aec4d11acce2707e9b4e0e175442533070d8e2e7a283ea7/analysis/
Malwr link:  https://malwr.com/analysis/Y2I2MTRlYTk1MDE4NGYwNDhkNzY2YjliZGM0NTM0MmM/

 

SECOND MALWARE PAYLOAD FROM NUCLEAR EK

File name:  2014-02-22-malware-payload-from-stavl7.fieldingclerk.in.net.exe
File size:  96.3 KB ( 98617 bytes )
MD5 hash:  f1005d691b42b790d6ef05794635b494
Detection ratio:  2 / 49
First submission:  2014-02-22 06:42:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/17726206a359f9870f44a292e0fbb5d923fe6b65c3b3800df85d0b6357eddd26/analysis/
Malwr link:  https://malwr.com/analysis/YjE4OTc5ZWExNGY1NGIyZWI3ODgxYjc4Y2RhNjM4YTQ/

 

NEUTRINO EK SILVERLIGHT EXPLOIT - CVE-2013-0074

File name:  2014-02-22-silverlight-exploit-from-eikohhou.tieshuwo.com.xap
File size:  14.8 KB ( 15116 bytes )
MD5 hash:  b665305f06d19cb26417e9937ca98725
Detection ratio:  1 / 50
First submission:  2014-02-18 16:09:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1bd4e67c21f51b6f6cbf29e487ef21aa0294a8c3ad270c5a2c4fbd5eba17c73b/analysis/

 

NEUTRINO EK MALWARE PAYLOAD

File name:  2014-02-22-Neutrino-malware-payload-from-eikohhou.tieshuwo.com.exe
File size:  83.3 KB ( 85305 bytes )
MD5 hash:  6b1bc984c802cd75a0edd63a83a11806
Detection ratio:  4 / 49
First submission:  2014-02-22 05:38:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/744a045ec779ad93f2d993bdab773b19aca7fa8cc067624258a24da5151a977d/analysis/

 

FOLLOW-UP MALWARE FROM APPDATA\LOCAL\TEMP AFTER ASPROX-STYLE CALLBACK

File name:  UpdateFlashPlayer_02e6195c.exe
File size:  286.6 KB ( 293462 bytes )
MD5 hash:  0804f25e23282729225645fbace197ed
Detection ratio:  13 / 48
First submission:  2014-02-22 07:56:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fe257a8413b0f8dd26e6e7a9296c7bc8500b8e66127111bcd134756b08e5ef8e/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THIS TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious javasript within the infected web page - afghanchopankebab.ca/reviews/

 

Redirects - ezdomainset.net/zxzzzzzdddff/?id=mx  and  wu3.zuxixamydu.com/zyso.cgi?18

 

Nuclear EK delivers MSIE exploit CVE-2013-2551 - ksrqm.fieldingclerk.in.net/2972269660/1393019820.htm


NOTE: Exploit traffic from both of the Nuclear EK domains looked identical.

 

MSIE exploit CVE-2013-2551 delivers EXE payload - ksrqm.fieldingclerk.in.net/f/1393019820/2972269660/5


NOTE 1: The other Nuclear EK domain delivered a different exploit, but it had the same file name.
NOTE 2: I normally don't see EXE payloads gzip-compressed like this over the network.

 

Neutrino EK delivers Silverlight exploit CVE-2013-0074 - eikohhou.tieshuwo.com:8000/kcsna?fawgtuon=wcveusqyl

 

Silverlight exploit CVE-2013-0074 delivers EXE payload - eikohhou.tieshuwo.com:8000/entlc?fkdyemuvkkzr=wcveusqyl


NOTE: This EXE file was sent as a binary XOR-ed with the ASCII string: ocdp

 

Asprox-style callback for more malware - 212-lithium.com/libq39.45/jquery/


NOTE: Identified as exe.exe in 200 OK header but saved as UpdateFlashPlayer_02e6195c.exe

 

Some of the click-fraud traffic to various search engines

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.