2014-04-30 - MAGNITUDE EK FROM 193.169.245.10 - SAFEHE.IN

ASSOCIATED FILES:

PREVIOUS MAGNITUDE EK:

Someone asked if I noticed a specific server for Mangitude EK.  Here's what I've seen:

Can't say if Magnitude EK always runs on CentOS, but that's what I've trended so far.  Malware Don't Need Coffee shows Apache/2.2.25 (CentOS) with PHP/5.3.27 from Magnitude EK as early as October 2013 (link).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEBSITE AND REDIRECTS:

MAGNITUDE EK:

 

POST-INFECTION CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

 

SCREENSHOTS FROM THE TRAFFIC

www.cec.com.mx (Compromised website) to ironsportsbook.com (First redirect):

 

www.ironsportsbook.com (First redirect) to seror28.wha.la (Second redirect):

 

seror28.wha.la (Second redirect) to Magnitude EK:

 

Magnitude EK sends (what I assume is) an CVE-2013-2551 MSIE exploit:

 

Magnitude EK sends the Java exploit:

 

Java exploit delivers the malware...  All of the Mangitude EK malware payloads were obfuscated.  The binaries were XOR-ed with 0x29, the ASCII character ")", as shown below:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.