2013-08-10 - BLACKHOLE EXPLOIT KIT FROM 173.246.105[.]15 - ELIEHABIB[.]COM

NOTICE:

ASSOCIATED FILES:

 

NOTES:

Within the past week or so, some people have noted another fake efax phishing campaign with "message@inbound.efax[.]com" as a spoofed sending address.  Dynamoo's Blog has a write-up where one of these phishing emails generates traffic with eliehabib[.]com as a malware payload site.  In Dynamoo's Blog, the malware payload URL is eliehabib[.]com/topic/seconds-exist-foot.php.  I found a similar URL dated 07 July 2013 that was probably used in the phishing campaign, too.  In this case was eliehabib[.]com/topic/regard_alternate_sheet.php was the malware payload URL.

I could not replicate the infection chain of events before the eliehabib[.]com URL, but let's examine the Snort IDS events and the traffic if someone would've went to the malware payload URL...

 

SNORT EVENTS

As usual, I set up a bare-metal instal of Windows 7 SP1 with IE 8 and Java Runtime Environment 6 update 25.  Monitoring this setup was an installation of Security Onion.  When I visited eliehabib[.]com/topic/regard_alternate_sheet.php on the vulnerable host, the following events triggered in Sguil:

INFECTION TRAFFIC

Infection from the malware delivery domain:

Two more malware downloads caused by the Trojan downloader:

INFECTION TRAFFIC DETAILS

GET /topic/regard_alternate_sheet.php
IP address: 173.246.105[.]15
domain name: eliehabib[.]com

Events: None

In some cases, you might have a Snort event for an exploit kit landing page, based on a string match in the HTTP GET request.  This is a relatively new landing page pattern in the URL, and based on what I've seen so far, we might not get a Snort rule for it.
This sets up the HTTP GET request for the Java exploit...

 

GET /topic/regard_alternate_sheet.php?sCgjKzq=XxMXwha&AfptP=QsWlvzPz
IP address: 173.246.105[.]15
domain name: eliehabib[.]com

Events:

Screenshot of traffic:

The Java exploit is successful, and it retrieves the first malicious binary...

 

GET /topic/regard_alternate_sheet.php?Ef=5632562f57&Ee=2i2e542i322f572j2h2g&R=2d&Gz=f&bj=Z
IP address: 173.246.105[.]15
domain name: eliehabib[.]com

Events:

Screenshot of traffic:

The first malicious binary is apparently a Trojan downloader, because we see a follow-up HTTP GET request which is not using Java as a user agent...

 

GET /s86.exe
IP address: 69.162.154[.]23
domain name: davidgartonministry[.]org

Events:

Screenshot of traffic:

 

GET /
IP address: 95.130.11[.]213
domain name: finddecisions[.]com

Events: none

Screenshot of traffic:

This callback traffic might just be to check if the domain is available.  There's no data sent back, and we see other TCP traffic to 95.130.11[.]213 that happened outside of port 80.  We also see other UDP and TCP traffic to various IP addresses...

TCP traffic:

UDP traffic:

PRELIMINARY MALWARE ANALYSIS

https://www.virustotal.com/gui/file/d1d127d60ca94a8a1779c9d978c4eadfdd5dbb3683a87f2bd1cbc963b09a9a36
File name:  java-exploit-from-173.246.105[.]15.jar
File size:  19.8 KB ( 19,792 bytes )
https://www.virustotal.com/gui/file/18e332ef248116d5b72eef8be7aea9e2ea756ecf0e9dae0d294d2ffaf178ade7
File name:  info.exe
File size:  355.3 KB ( 355,328 bytes )
https://www.virustotal.com/gui/file/883490ebce9703ab22525f4763327458cf045d9b68c50ba29c898e7b1d9b7883
File name:  s86.exe
File size:  147.5 KB ( 147,456 bytes )

 

Click here to return to the main page.