2014-09-28 - NULL HOLE EK FROM 162.244.33[.]39 - POOLIE.VVK49[.]COM
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-09-28-Null-Hole-EK-traffic.pcap.zip
- 2014-09-28-Null-Hole-EK-failed-attempts.pcap.zip
- 2014-09-28-Null-Hole-EK-malware.zip
NOTES (updated 2014-11-29):
- Today's EK traffic patterns were similar to a Styx infection I documented about 6 months ago on 2014-03-15, which is why I originally identified this as Styx EK.
- Kafeine researched this type of traffic, and he found it's Null Hole EK: https://malware.dontneedcoffee.com/2014/11/call-me-null-hole-maybe.html
- The infected VM was running IE 8 and an outdated version of Flash.
- I tried it again on IE 10 without Flash while using out-of-date Java (6u25 and 7u13), but I could not infect the VM going that route.
- The compromised server that kicked off this infection chain is a WordPress site named bridepopmississippi[.]com.
- A search on Clean MX showed 11 URLs from bridepopmississippi[.]com were reported since 2014-08-18. These were resolved; however, today a visit to bridepopmississippi[.]com kicked off an infection on my vulnerable VM.
URLs from bridepopmississippi[.]com reported to Clean MX
URL from bridepopmississippi[.]com reported to Scumware.org
Warning about bridepopmississippi[.]com from a Bing search
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 50.63.220[.]1 - bridepopmississippi[.]com - Compromised website
- 188.120.251[.]39 - rabiorik[.]ru - Redirect
- 162.244.33[.]39 - poolie.vvk49[.]com and cobalt.pss33[.]com - Null Hole EK
- various IP addresses - Post infection traffic using ephemeral ports on both TCP qand UDP
COMPROMISED WEBSITE AND REDIRECT:
- 01:30:59 UTC - 50.63.220[.]1:80 - bridepopmississippi[.]com - GET /
- 01:31:09 UTC - 188.120.251[.]39:80 - rabiorik[.]ru - GET /wlkzkir.cgi?default
NULL HOLE EK:
- 01:31:10 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ
- 01:31:11 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ/e.html
- 01:31:13 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ/gzgBQVI.html
- 01:31:13 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ/ERAnnQG.html
- 01:31:13 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ/qtNDDUG.html
- 01:31:14 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ/djIhQ.swf
- 01:31:17 UTC - 162.244.33[.]39:80 - poolie.vvk49[.]com - GET /TbCAgWPudohEQ/loader2.exe&h=33
- NOTE: The redirect and EK traffic are repeated, but no exploit or payload are re-sent.
POST-INFECTION TRAFFIC (ENCRYPTED OR OTHERWISE OBFUSCATED):
- 1.175.221[.]30 port 59858 - UDP
- 89.165.191[.]55 port 40624 - UDP
- 89.165.191[.]55 port 39192 - TCP
- 111.242.29[.]3 port 47175 - TCP
- 178.63.51[.]9 port 24268 - UDP
- 178.63.51[.]9 port 52346 - TCP
- 182.65.41[.]203 port 30545 - UDP
- 182.65.41[.]203 port 22261 - TCP
- 190.39.82[.]189 port 54999 - UDP
- 190.39.82[.]189 port 53557 - TCP
- 201.167.17[.]104 port 23355 - UDP
- 201.167.17[.]104 port 21504 - TCP
- 203.185.17[.]170 port 30546 - UDP
- 203.185.17[.]170 port 51878 - TCP
- 220.136.84[.]102 port 42955 - UDP
- 220.136.84[.]102 port 53643 - TCP
ADDITIONAL FAILED ATTEMPTS TO INFECT A VM USING JAVA ONLY:
- 16:17:19 UTC - 188.120.251[.]39:80 - rabiorik[.]ru - GET /xtbqkub.cgi?default
- 16:17:20 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ
- 16:17:21 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/e.html
- 16:17:26 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/gzgBQVI.html
- 16:17:26 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/ERAnnQG.html
- 16:17:26 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/qtNDDUG.html
- 16:27:13 UTC - 188.120.251[.]39:80 - rabiorik[.]ru - GET /ctortzy.cgi?default
- 16:27:14 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ
- 16:27:15 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/e.html
- 16:27:17 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/gzgBQVI.html
- 16:27:17 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/ERAnnQG.html
- 16:27:17 UTC - 162.244.33[.]39:80 - cobalt.pss33[.]com - GET /TbCAgWPudohEQ/qtNDDUG.html
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT:
File name: 2014-09-28-Null-Hole-EK-flash-exploit.swf
File size: 5,250 bytes
MD5 hash: 07ca35c6a0c5b30929ad60b34ab1e8fa
Detection ratio: 1 / 55
First submission: 2014-09-28 15:00:59 UTC
VirusTotal link: https://www.virustotal.com/en/file/c641c2728a5b1e369f7f47bb776c6d20b27d613c8da9584250f78699a8a8609b/analysis/
MALWARE PAYLOAD:
File name: 2014-09-28-Null-Hole-EK-malware-payload.exe
File size: 174,652 bytes
MD5 hash: 5469af0daa10f8acbe552cd2f1f6a6bb
Detection ratio: 10 / 55
First submission: 2014-09-27 09:25:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/9bc99299191caf52ebe70a6c7052574c35c40d28f93aa8c163073e81aad9e148/analysis/
DROPPED MALWARE 1 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):
File name: locolknx.exe
File size: 513,999 bytes
MD5 hash: e685038ae761603712282500b70f80ce
Detection ratio: 11 / 54
First submission: 2014-09-28 15:01:37 UTC
VirusTotal link: https://www.virustotal.com/en/file/1aee63c95c990a2d9e425967c33ecd9f4e80e2da3b1f2b0b3f2de0d9f56ddebe/analysis/
DROPPED MALWARE 2 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):
File name: ncsfklmi.exe
File size: 643,072 bytes
MD5 hash: b06f9b65d08e81196fb4b4e471a197d8
Detection ratio: 17 / 54
First submission: 2014-09-28 15:02:10 UTC
VirusTotal link: https://www.virustotal.com/en/file/868fd9273bf899981326024e07ad32f5f7a96d39059b50346250add5d80bc69d/analysis/
SIGNATURE HITS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 01:31:17 UTC - 162.244.33[.]39:80 - ET CURRENT_EVENTS Styx Exploit Kit Payload Download (sid:2016499)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:
- 01:31:04 UTC - 50.63.220[.]1 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
- 01:31:12 UTC - 162.244.33[.]39:80 - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE (x15)
- 01:31:17 UTC - 162.244.33[.]39:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
HIGHLIGHTS FROM THE TRAFFIC
Embedded iframe after closing HTML tag in page from compromised website:
Redirect:
First HTTP reqeust to Null Hole EK:
Landing page for the EK:
EK send the EXE payload:
Example of the post-infection TCP traffic:
Example of the post-infection UDP traffic:
Click here to return to the main page.