2014-03-01 - NEUTRINO EK USES SILVERLIGHT EXPLOIT

ASSOCIATED FILES:

NOTES:

This window popped up in an infected VM a few minutes after the Neutrino EK events were generated:

Coincidence?  I think not.  Let's look at the traffic...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-03-01-Neutrino-EK-silverlight-exploit.xap
File size:  14.5 KB ( 14885 bytes )
MD5 hash:  7f510e9a1f25469b69899a29e75d5bf9
Detection ratio:  0 / 43
First submission:  2014-03-01 06:45:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/23b815328b4b73cc7f7678ba43c0ac462a840909041111a4d10c32fda9887bac/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-01-Neutrino-EK-malware-payload.exe
File size:  256.5 KB ( 262656 bytes )
MD5 hash:  707e83487838a307b1504ecb2074ce2e
Detection ratio:  19 / 50
First submission:  2014-03-01 01:35:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c0c364e6f27cdad877bdce7ddad3bab6ddb0bf9f03f65177f0c3f13d359188be/analysis/
Malwr link:  https://malwr.com/analysis/MWJlNDgxYTVmYjM1NDQ2N2JlZjAzZmI5ZDQwNzZjMGY/

 

SNORT EVENTS

SNORT EVENTS FOR NEUTRINO EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in the infected web page - adelaidecommercialrealestate.com.au/

 

Redirect - diablo3keygen.net/redirect.php

 

Neutrino EK delivers Silverlight exploit - chaongoi.fingieng.com:8000/avlqb?svrqbv=dplyqyswcvn

 

Silverlight exploit delivers EXE payload - chaongoi.fingieng.com:8000/kmoaigcvdcpca?sxzvnn=dplyqyswcvn


NOTE: This EXE file was XOR-ed with the ASCII string: gmxy

 

Example of the post-infection callback traffic - qustats.net/C4M4R0N3ZP3/order.php?id=2562313

 

After the infection, a window popped up stating the host had a critical disk error:

 

This program wanted to make changes to the infected host:

 

It matches this newly-created entry under the registry key for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.