2014-03-22 - FIESTA EK - COMPARING HOW SILVERLIGHT AND JAVA DELIVER THE SAME MALWARE

ASSOCIATED FILES:

NOTES:

The Silverlight exploit sent its malware payload through one HTTP GET request that returned an octect-stream of 1,643,332 bytes.  This is somewhat large for a malware payload, and I couldn't an artifact of that size on the infected VM.  To compare, I infected a VM from the same referer/Fiesta EK using only Java.

The Java exploit sent its malware payload through two HTTP GET requests.  These HTTP GET requests returned two octet-streams: one at 729,856 bytes and the other at 913,665.  That's a total of 1,643,521 bytes--less that 200 bytes difference from the Silverlight payload.  I saw the same artifacts on both infected VMs, so I'm assuming the Silverlight exploit bundled the two files in a single 1.6 MB octet-stream.

Places like Malware Don't Need Coffee show larger-than-normal payload sizes (1 MB or more) sent by the Silverlight exploit, but I didn't realize this single octet-stream ended up as two different EXE files.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

FIESTA EK TRAFFIC USING SILVERLIGHT AS AN EXPLOIT

FIESTA EK - SILVERLIGHT EXPLOIT - POST-INFECTION CALLBACK

FIESTA EK TRAFFIC USING JAVA AS AN EXPLOIT

FIESTA EK - JAVA EXPLOIT - POST-INFECTION CALLBACK

NOTE: In the First example, a Java exploit was sent after the Silverlight traffic; however, no malware payload was sent using Java.  I did not include those additional HTTP GET requests in the PCAP for the Silverlight traffic.

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-03-22-Fiesta-EK-silverlight-exploit.xap
File size:  5.1 KB ( 5265 bytes )
MD5 hash:  eb74945c840dfd74a171639f379777aa
Detection ratio:  3 / 51
First submission:  2014-03-19 15:32:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bed60e3715e542881d5e80784bdcbb4945a6a8375a63cbde6436a2782593a87c/analysis/

 

JAVA EXPLOIT

File name:  2014-03-22-Fiesta-EK-java-exploit.jar
File size:  7.3 KB ( 7462 bytes )
MD5 hash:  d529b2a500b94641fa89157f14d46608
Detection ratio:  4 / 51
First submission:  2014-03-22 03:59:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4d56c4a8ddf5bed48b6fc8641f87ff356e272d52c2516d4dfb00575f64e3e0c/analysis/

 

MALWARE PAYLOAD PART 1

File name:  2014-03-22-Fiesta-EK-first-malware-payload.exe
File size:  712.5 KB ( 729600 bytes )
MD5 hash:  2233f453d8a120321a3dca0e3df25420
Detection ratio:  9 / 51
First submission:  2014-03-22 04:00:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2629ea9fe35e2ff0dde9d018c66e5f0355068a958f827b74ec3fb067ea751383/analysis/
Malwr link:  https://malwr.com/analysis/NDEwZDliOTI3YzNhNGQ2MmE2ODMxYzRiMjY0NzljZjI/

 

MALWARE PAYLOAD PART 2

File name:  2014-03-22-Fiesta-EK-second-malware-payload.exe
File size:  892.0 KB ( 913409 bytes )
MD5 hash:  bbab2ae7c44d8c024928d2f978d5b991
Detection ratio:  2 / 51
First submission:  2014-03-22 04:01:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3aabe8afb7e974cb4b5ec89c9aa87e3f1841957146da2c8b620314b575f89c16/analysis/
Malwr link:  https://malwr.com/analysis/ZGQ2NTYyODBhMDY1NGQ3NTliZGY5ZjM4YzFiYjJkNDk/

 

SNORT EVENTS

SNORT EVENTS FOR THE FIESTA EK SILVERLIGHT TRAFFIC (from Sguil on Security Onion)

 

SNORT EVENTS

SNORT EVENTS FOR THE FIESTA EK JAVA TRAFFIC (from Sguil on Security Onion)

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from the infected web server


From the first PCAP with the Silverlight exploit

From the second PCAP with the Java exploit

 

Fiesta EK Silverlight exploit delivers malware payload in single HTTP GET request

 

Fiesta EK Java exploit delivers same malware payload in two different HTTP GET requests

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.