2014-03-04 - HELLO EXPLOIT KIT

ASSOCIATED FILES:

NOTES:

On Monday 2014-03-03, the Sourcefire VRT (now Talos Intelligence) blog posted an entry about a new exploit kit named Hello EK.

I was lucky enough to catch the article that same day.  Based on the VRT blog, I searched URLquery.net and found a hit on a similar traffic pattern for the Hello EK landing page.

I infected a VM using a temporary web page as referer to the Hello EK domain.  When I infected the VM, there were no Hello EK-specific signatures for my Security Onion setup; however, that should change after the ET signature set is updated.  Even without a Hello EK signature, this activity triggered other ET rules.

Let's look at the infection traffic...

 

CHAIN OF EVENTS

ASSOCIATED DOMAIN

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT CVE-2013-2465 (from the Java cache of the infected host):

File name:  java-exploit-from-mahsms.ir.jar
File size:  6.8 KB ( 6989 bytes )
MD5 hash:  0802e5a27c667cdbab1b35f93eaa7a58
Detection ratio:  4 / 50
First submission:  2014-03-04 03:52:04 UTC
VirusTotal link: https://www.virustotal.com/en/file/ef609440751c1880755dc6a06a9e1a33982cc6f62eab0f25243d60a22ba30452/analysis/

 

MALWARE PAYLOAD (from the user's AppData\Local\Temp folder)

File name:  ntsys391.exe
File size:  232.0 KB ( 237568 bytes )
MD5 hash:  545244ffcfa9493d130979a11370f0fd
Detection ratio:  25 / 50
First submission:  2014-03-02 02:22:35 UTC
VirusTotal link: https://www.virustotal.com/en/file/164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da/analysis/
VirusTotal link: https://malwr.com/analysis/MGVlMDE4YjllMWY4NDc3Yjg4ZmYyZmRkNjJlNTNjYmI/

 

SNORT EVENTS

SNORT EVENTS FOR HELLO EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

First HTTP GET request to Hello EK domain - mahsms.ir/wp-includes/pomo/dtsrc.php

 

Information sent about infected computer - mahsms.ir/wp-includes/pomo/dtsrc.php?a=h1&f=76f8783379f1a766117d46a45ca298e1&u=Mozilla%2F5.0%20
(compatible%3B%20MSIE%209.0%3B%20Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F5.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727
%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0)

 

Hello EK prepares delivery of Java exploit - mahsms.ir/wp-includes/pomo/dtsrc.php?a=h2



The base64 code shown above translates to the following text:

 

Hello EK delivers Java exploit CVE-2013-2465 - mahsms.ir/wp-includes/pomo/dtsrc.php?a=r2


NOTE: The Java exploit seen here (a .JAR file) is encrypted or otherwise obfuscated.

 

Java exploit CVE-2013-2465 delivers EXE payload - mahsms.ir/wp-includes/pomo/dtsrc.php?a=dwe

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.