2014-03-05 - GATE/REDIRECT URLS LEAD TO GOON/INFINITY EK

ASSOCIATED FILES:

SUMMARY

From a blog entry about compromised web servers running OptimizePress, I found a pattern for gates/redirect URLs leading to Goon/Infinity EK.

INTRODUCTION

On 17 Jan 2014, Sucuri posted a blog entry about an OptimizePress vulnerability being mass infected:

The article has an example of a malicious iframe pointing to gezidotojyk.org/ohui.cgi?19.  On urlquery.net, you'll notice interesting pattern when searching for the .cgi?19 portion of that malicious URL:

After more searching, I found a trend of suspicious URLs with the pattern something.something.something/[3 or 4 letters].cgi?19 from the 64.120.137.0/24 address block.  I've compiled a list into a CSV file saved as a ZIP archive (available above, or here).

Those links don't need a referer.  At first, I thought these were links from malspam or phishing emails; however, after discussing the issue with other analysts, it appears these links are acting as a gate/redirect that lead to Goon/Infinity EK.

Let's take a look at the traffic...

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

 

PRELIMINARY MALWARE ANALYSIS

CVE-2013-0074 SILVERLIGHT EXPLOIT

File name:  gzscanner.xap
File size:  9.1 KB ( 9369 bytes )
MD5 hash:  b756f5a32b6e0efed2f556dd3af8b671
Detection ratio:  22 / 46
First submission:  2014-02-20 12:23:20 UTC
VirusTotal link: https://www.virustotal.com/en/file/e9fddc86b5c32d78f9d328b5d59496d17e94b9828873520127a16bdfbda0daae/analysis/

 

JAVA EXPLOIT

File name:  gzscanner.jar
File size:  10.3 KB ( 10562 bytes )
MD5 hash:  1daaf8bad4ff2d200e2a959eb7ed26c4
Detection ratio:  3 / 50
First submission:  2014-03-05 04:33:35 UTC
VirusTotal link: https://www.virustotal.com/en/file/9881952d5f635a21f90701b8be3febd76e77d1ac587d64535ad21fbd5d933f72/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-05-Goon-EK-malware-payload.exe
File size:  118.0 KB ( 120832 bytes )
MD5 hash:  e7dd471814c217dde7199c13c82fea3b
Detection ratio:  1 / 50
First submission:  2014-03-04 23:37:17 UTC
VirusTotal link: https://www.virustotal.com/en/file/3c36aece16f53f30cd0b60fefadfebb622ce505b0224cc0469af2db7a97bff2b/analysis/
Malwr link: https://malwr.com/analysis/YjkyY2FlNGJlOTAzNDk5MTlhODk2NzQwZTY0YWQ5OTI/

 

SNORT EVENTS

SNORT EVENTS FOR THIS INFECTION TRAFFIC (from Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

URL that redirects to the EK - 0eq.kocewulum.net/zyso.cgi?19

 

First HTTP GET request to the Goon/Infinity EK domain -
scbreclav.cz/7/html/action/836219366.aspx?callback-lid=8457&my_build=74B22DF1&object-seed=232BB27A891CC158AD4AECE4EB5CC4

I've omitted large chunks of this to focus on the interesting parts.  For example, here's part of the HTML that looks similar to MSIE exploit CVE-2013-2551 traffic I've seen in the past:

Here's the tail end of that TCP stream:

 

Goon/Infinity EK delivers CVE-2013-0074 Silverlight exploit - scbreclav.cz/gzscanner.xap

 

Silverlight exploit delivers EXE payload - scbreclav.cz/34033125.mp3


This malware payload is XOR-ed with the ASCII string: m3S4V

 

Goon/Infinity EK delivers java exploit - scbreclav.cz/gzscanner.jar


NOTE: This exploit didn't deliver a malware payload.

 

Post infection callback traffic.  Notice the HTTP GET requests for mc.php.

 

Those URLs ending in mc.php returned the public IP address of the infected host:

 

The other callback traffic has spoofed user-agent strings in the HTTP request headers.  For example:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.