2013-08-10 - BLACKHOLE EXPLOIT KIT FROM 173.246.105[.]15 - ELIEHABIB[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2013-08-10-Blackhole-EK-traffic.pcap.zip   1.2 MB (1,212,047 bytes)
• 2013-08-10-Blackhole-EK-malware.zip   378.5 kB (378,534 bytes)

 

NOTES:

Within the past week or so, some people have noted another fake efax phishing campaign with "message@inbound.efax[.]com" as a spoofed sending address.  Dynamoo's Blog has a write-up where one of these phishing emails generates traffic with eliehabib[.]com as a malware payload site.  In Dynamoo's Blog, the malware payload URL is eliehabib[.]com/topic/seconds-exist-foot.php.  I found a similar URL dated 07 July 2013 that was probably used in the phishing campaign, too.  In this case was eliehabib[.]com/topic/regard_alternate_sheet.php was the malware payload URL.

I could not replicate the infection chain of events before the eliehabib[.]com URL, but let's examine the Snort IDS events and the traffic if someone would've went to the malware payload URL...

 

SNORT EVENTS

As usual, I set up a bare-metal instal of Windows 7 SP1 with IE 8 and Java Runtime Environment 6 update 25.  Monitoring this setup was an installation of Security Onion.  When I visited eliehabib[.]com/topic/regard_alternate_sheet.php on the vulnerable host, the following events triggered in Sguil:

• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49161 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49161 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 192.168.1[.]106 port 49162 - 173.246.105[.]15 port 80 - ET CURRENT_EVENTS BlackHole EK Variant Payload Download
• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49162 - ET INFO EXE - Served Attached HTTP
• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49162 - ET INFO Packed Executable Download
• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49162 - ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe
• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49162 - ET POLICY PE EXE or DLL Windows file download
• 173.246.105[.]15 port 80 - 192.168.1[.]106 port 49162 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
• 69.162.154[.]23 port 80 - 192.168.1[.]106 port 49170 - ET SHELLCODE Possible Call with No Offset TCP Shellcode
• 69.162.154[.]23 port 80 - 192.168.1[.]106 port 49170 - ET POLICY PE EXE or DLL Windows file download

INFECTION TRAFFIC

Infection from the malware delivery domain:

• 07:16:47 GMT - 192.168.1[.]106 port 49159 - 173.246.105[.]15 port 80 - GET /topic/regard_alternate_sheet.php
• 07:16:56 GMT - 192.168.1[.]106 port 49161 - 173.246.105[.]15 port 80 - GET /topic/regard_alternate_sheet.php?sCgjKzq=XxMXwha&AfptP=QsWlvzPz  [Java exploit]
• 07:16:57 GMT - 192.168.1[.]106 port 49162 - 173.246.105[.]15 port 80 - GET /topic/regard_alternate_sheet.php?Ef=5632562f57&Ee=2i2e542i322f572j2h2g&R=2d&Gz=f&bj=Z  [malicious binary: Trojan downloader]

Two more malware downloads caused by the Trojan downloader:

• 07:18:18 GMT - 192.168.1[.]106 port 49170 - 69.162.154[.]23 port 80 - GET /s86.exe
• 07:18:24 GMT - 192.168.1[.]106 port 49172 - 95.130.11[.]213 port 80 - GET /

INFECTION TRAFFIC DETAILS

GET /topic/regard_alternate_sheet.php
IP address: 173.246.105[.]15
domain name: eliehabib[.]com

Events: None

In some cases, you might have a Snort event for an exploit kit landing page, based on a string match in the HTTP GET request.  This is a relatively new landing page pattern in the URL, and based on what I've seen so far, we might not get a Snort rule for it.

This sets up the HTTP GET request for the Java exploit...

 

GET /topic/regard_alternate_sheet.php?sCgjKzq=XxMXwha&AfptP=QsWlvzPz
IP address: 173.246.105[.]15
domain name: eliehabib[.]com

Events:

• ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• ET INFO JAVA - Java Archive Download By Vulnerable Client

Screenshot of traffic:

The Java exploit is successful, and it retrieves the first malicious binary...

 

GET /topic/regard_alternate_sheet.php?Ef=5632562f57&Ee=2i2e542i322f572j2h2g&R=2d&Gz=f&bj=Z
IP address: 173.246.105[.]15
domain name: eliehabib[.]com

Events:

• ET CURRENT_EVENTS BlackHole EK Variant Payload Download
• ET INFO EXE - Served Attached HTTP
• ET INFO Packed Executable Download
• ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe
• ET POLICY PE EXE or DLL Windows file download
• ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby

Screenshot of traffic:

The first malicious binary is apparently a Trojan downloader, because we see a follow-up HTTP GET request which is not using Java as a user agent...

 

GET /s86.exe
IP address: 69.162.154[.]23
domain name: davidgartonministry[.]org

Events:

• ET SHELLCODE Possible Call with No Offset TCP Shellcode
• ET POLICY PE EXE or DLL Windows file download

Screenshot of traffic:

 

GET /
IP address: 95.130.11[.]213
domain name: finddecisions[.]com

Events: none

Screenshot of traffic:

This callback traffic might just be to check if the domain is available.  There's no data sent back, and we see other TCP traffic to 95.130.11[.]213 that happened outside of port 80.  We also see other UDP and TCP traffic to various IP addresses...

TCP traffic:

• 50.65.158[.]6
• 64.84.8[.]194 (RST each time in reply)
• 64.233.134[.]54 (no response)
• 76.65.212[.]217 (no response)
• 76.241.58[.]101 (no response)
• 95.130.11[.]213
• 130.251.186[.]103
• 173.246.105[.]15 (RST each time in reply)
• 184.148.89[.]74 (no response)
• 206.255.103[.]64

UDP traffic:

• 1.168.39[.]189
• 50.65.158[.]6
• 64.61.15[.]190
• 64.233.134[.]54
• 67.4.45[.]112
• 67.214.72[.]156
• 68.94.8[.]194
• 68.127.83[.]159
• 69.115.119[.]227
• 75.80.50[.]135
• 76.65.212[.]217
• 76.241.58[.]101
• 78.87.111[.]91
• 79.214.59[.]185
• 88.68.122[.]74
• 99.26.122[.]34
• 99.146.98[.]160
• 99.181.10[.]118
• 108.74.172[.]39
• 108.210.216[.]93
• 108.234.133[.]110
• 130.251.186[.]103
• 157.100.168[.]252
• 170.163.130[.]162
• 173.209.69[.]2
• 174.6.141[.]85
• 178.238.233[.]29
• 184.148.89[.]74
• 189.253.90[.]151
• 203.45.203[.]83
• 206.255.103[.]64
• 212.72.150[.]186
• 213.219.135[.]87

PRELIMINARY MALWARE ANALYSIS

https://www.virustotal.com/gui/file/d1d127d60ca94a8a1779c9d978c4eadfdd5dbb3683a87f2bd1cbc963b09a9a36

File name:  java-exploit-from-173.246.105[.]15.jar
File size:  19.8 KB ( 19,792 bytes )

https://www.virustotal.com/gui/file/18e332ef248116d5b72eef8be7aea9e2ea756ecf0e9dae0d294d2ffaf178ade7

File name:  info.exe
File size:  355.3 KB ( 355,328 bytes )

https://www.virustotal.com/gui/file/883490ebce9703ab22525f4763327458cf045d9b68c50ba29c898e7b1d9b7883

File name:  s86.exe
File size:  147.5 KB ( 147,456 bytes )

 

Click here to return to the main page.