2014-03-09 - TWO EXAMPLES OF FIESTA EK TRAFFIC - ONE FAILED, THE OTHER SUCCESSFUL

ASSOCIATED FILES:

NOTES:

With a few exceptions, the Fiesta EK traffic I've seen for the past several months generally falls into two categories:

In the past week or so, I haven't found many examples of Fiesta EK to in.ua domains.  Even with the few leads I've gotten, I haven't been able to infect a VM.  I've had more success with Fiesta EK traffic to hopto.org.

This blog entry shows examples I've seen lately--failed Fiesta EK infection chains to in.ua and successful ones to hopto.org.

 

UNSUCCESSFUL FIESTA EK INFECTION CHAIN TO [RANDOM PREFIX].IN.UA

ASSOCIATED DOMAINS

CHAIN OF EVENTS

 

EMERGING THREATS SNORT SIGNATURE HITS (from Security Onion)

 

HIGHIGHTS FROM THE TRAFFIC

Javascript on page from infected web server - www.electriciantalk.com/f30/explain-120-208v-7538/

 

Redirect to the Fiesta EK domain - teleleksi.com/oqsikjzyh.js?7bd5df4620529f4d

 

Traffic made it to the Fiesta EK landing page; however, the next HTTP GET request returned a 404 Not Found, and no further EK traffic was noted.

 

SUCCESSFUL FIESTA EK INFECTION CHAIN TO [RANDOM PREFIX].HOPTO.ORG

ASSOCIATED DOMAINS

POST-INFECTION CALLBACK DOMAINS:

INFECTION CHAIN OF EVENTS

POST-INFECTION CALLBACK TRAFFIC

NOTE: The malware payload didn't properly run in the VM, so I moved it to a physical host and ran it from the AppData\Local\Temp folder.

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-09-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7440 bytes )
MD5 hash:  8ac637b3170492da2dd35148b1b85b03
Detection ratio:  0 / 50
First submission:  2014-03-09 18:16:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/3c4a475c7bf334eff3baed3adfad18dae63df8fa925630478b9eedbd94f351d5/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-03-09-Fiesta-EK-silverlight-exploit.xap
File size:  5.0 KB ( 5109 bytes )
MD5 hash:  57fa05107118a89590449dc55d715bc2
Detection ratio:  6 / 49
First submission:  2014-03-09 18:17:05 UTC
VirusTotal link: https://www.virustotal.com/en/file/c9fb7cbbc084f64ec44cd93eb294920cf801f37bfca42d37f5d7dd0aaa83fedb/analysis/

 

MALWARE PAYLOAD

Saved to the user's AppData\Local\Temp folder as: 01394381425253.exe
File name:  2014-03-09-Fiesta-EK-malware-payload.exe
File size:  108.0 KB ( 110592 bytes )
MD5 hash:  114592e7c29d7828c8295a364ef0488a
Detection ratio:  5 / 50
First submission:  2014-03-09 18:17:25 UTC
VirusTotal link: https://www.virustotal.com/en/file/f18d369dafce181cd083ca56eefb6ff8c77a6ca8634156c4fa4bb4831403e936/analysis/
Malwr link: https://malwr.com/analysis/OWU5OGMzNTY3OTcxNGUwYmJlOGQ3NTQ2ZjNmNTcyYTY/

 

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Javascript on page from infected web server that generates reqeust to Fiesta EK domain:
www.disclose.tv/action/viewvideo/168328/Power_in_Kiev_has_nothing_to_do_with_democracy_Vitaly_Churkin__RT

 

Fiesta EK delivers Silverlight exploit:
dllumfqd.hopto.org/y2x3wz6/?75692c83f62e483f4459400200580a0501040f02060108080206075a0b51080b;5110411

 

Fiesta EK delivers Java exploit:
dllumfqd.hopto.org/y2x3wz6/?12668e96ba51ad8e5e5d540d0a5e0b0007030f0d0c07090d0401075501570857

 

Java exploit delivers EXE payload
dllumfqd.hopto.org/y2x3wz6/?76db085318e4f7dc544e01590203070501075d59045a050802055501090a050b;1;4


This same payload was also delivered separately by an MSIE exploit.

 

Malware does an HTTP GET request to www.google.com to check for connectivity:

 

Malware does an HTTP POST to callback domain aaukqiooaseseuke.org:

 

More callback traffic by the malware...  Notice the user agent indicates this is FireFox version 17; however, no Firefox browser was installed on this host:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.