2013-08-16 - INJECTED SCRIPT IN COMPROMISED WORDPRESS SITES LEADS TO SYTX EXPLOIT KIT

NOTICE:

ASSOCIATED FILES:

 

NOTES:

Earlier this week, I was searching through the CLEAN MX realtime database, where it's fairly easy to find compromised web pages (and more) using the site's search function.  One of the compromised sites I found was named stockmarketsage[.]com.

When purposely infecting a vulnerable Windows machine, I found the following code repeated througout the site's index page:

A spot check on five other pages from stockmarketsage[.]com shows the same code multiple times in each page.  A Google search on the code showed the same type of code appearing in multiple, unrelated sites.

However, those sites had at least one common factor--they were all based on WordPress.  This is injected code, and it's probably the result of a large-scale campaign targeting WordPress sites.  WordPress sites are occasionally hit by botnet-based brute-force attacks.  An example can be seen in this report by the US CERT.

Let's see what happened when veiwing stockmarketsage[.]com on a vulnerable Windows computer...

 

SNORT EVENTS

Using Security Onion to monitor a vulnerable Windows computer, the following events triggered in Sguil when visiting stockmarketsage[.]com:

  • 192.168.1[.]106 port 49206 - 91.220.131[.]179 port 80 - ET TROJAN Unknown Trojan Checkin
  • 192.168.1[.]106 port 49212 - 291.235.1[.]127 port 80 - ET TROJAN System Progressive Detection FakeAV (AMD)
  • 192.168.1[.]106 port 49214 - 108.168.255.244 port 80 - ET POLICY Maxmind geoip check to /app/geoip.js
  • 192.168.1[.]106 port 63166 - 194.165.17[.]4 port 53 - ET TROJAN ZeroAccess udp traffic detected
  • 219.235.1[.]127 port 80 - 192.168.1[.]106 port 49212 - ET TROJAN W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess
  • 223.26.55[.]97 port 80 - 192.168.1[.]106 port 49216 - ET POLICY PE EXE or DLL Windows file download
  • 192.168.1[.]106 port 49223 - 66.147.244[.]127 port 80 - ET TROJAN Fareit/Pony Downloader Checkin 3
  • 192.168.1[.]106 port 49223 - 66.147.244[.]127 port 80 - ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS
  • 192.168.1[.]106 port 49221 - 66.147.244[.]127 port 80 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
  • 192.168.1[.]106 port 49221 - 66.147.244[.]127 port 80 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
  • 192.168.1[.]106 port 49224 - 78.140.131[.]151 port 80 - ET TROJAN Medfos Connectivity Check
  • 192.168.1[.]106 port 49233 - 91.220.131[.]179 port 80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters
  • 23.42.146[.]170 port 80 - 192.168.1[.]106 port 49234 - ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen

INFECTION TRAFFIC

The compromised website, followed by two redirects:

First malware delivery domain: avajpnu[.]ac[.]ir - 78.157.60[.]170

Second malware delivery domain: debutedroller[.]biz - 185.13.32[.]45

This was followed by callback traffic and more HTTP GET requests that downloaded additional malware.  For this blog entry, I'm only going to focus on the initial infection shown above.

INFECTION TRAFFIC DETAILS

GET /
IP address: 174.120.21[.]157
domain name: stockmarketsage[.]com

Sguil events: None

This is the compromised webiste with the injected Javascript (shown again below):

After reviewing the traffic, I think that Javascript probably caused the next HTTP GET request in the infection chain of events.

 

GET /?travel
IP address: 46.4.94[.]102
domain name: googleclick[.]info

Sguil events: None

Screenshot of traffic:

A redirect to the next HTTP GET request...

 

GET /intro/345.php
IP address: 46.30.40[.]91
domain name: vh32636.eurodir[.]ru

Sguil events: None

Screenshot of traffic:

A redirect to the next HTTP GET request...

 

GET /blog/?p=5696
IP address: 78.157.60[.]170
domain name: avajpnu[.]ac[.]ir

Sguil events: None

Screenshot of traffic:

This is the first HTTP GET request to the malware delivery domain.

 

GET /blog/ceg.4dy
IP address: 78.157.60[.]170
domain name: avajpnu[.]ac[.]ir

Sguil events:

Screenshot of traffic:

This sets up the next two HTTP GET requests that send the Java exploit and get the malware.

 

GET /blog/rebza.tmp
IP address: 78.157.60[.]170
domain name: avajpnu[.]ac[.]ir

Sguil event:

Screenshot of traffic:

 

GET /download.asp?p=1
IP address: 78.157.60[.]170
domain name: avajpnu[.]ac[.]ir

Sguil event:

Screenshot of traffic:

The malicious binary shown above is XOR-ed with the ASCII string "binkey" in a repeating pattern.  This is common enough, and there are a few ways of decrypting the binary if you extract it from Wireshark.  Some people use a Pearl script.  In this case, I used one of the conversion tools provided by Kahu Security to decode the binary.

 

GET /JIu5D_T0_vGoG05I/0Q0/9I3c0LVO_b13KX_K0_X9EN0/YFWI-0kc6d06B6_y0/nsIP0Kxq/t0bjk-x0v-mn30f-Yga0_7J/bW0HX_xB0r-XqM08kPi-0Kun_A12TC-r0n/7jL0-bG6z10D3/I02p-9m-0qc/bL0XDA-10Ygbj0D-UWz03iea0_4Ew50Ox_Zv/0ZyN4/0KFQV0z3_zH_0IBWG0-Rgbr0fKs/S0-L9I-D0rq5x-0O7kY08a/q20eri5-0D3CK_0W66b0j9/dZ0Fg/uy0FeK70_h3xJ06ffl0O-BOj0Om-GY0Z0mi_0vgDh13y-bQ150YL0-1Bue/hugjt.html
IP address: 185.13.32[.]45
domain name: debutedroller[.]biz

Sguil event:

Screenshot of traffic:

 

GET /JIu5D_T0_vGoG05I/0Q0/9I3c0LVO_b13KX_K0_X9EN0/YFWI-0kc6d06B6_y0/nsIP0Kxq/t0bjk-x0v-mn30f-Yga0_7J/bW0HX_xB0r-XqM08kPi-0Kun_A12TC-r0n/7jL0-bG6z10D3/I02p-9m-0qc/bL0XDA-10Ygbj0D-UWz03iea0_4Ew50Ox_Zv/0ZyN4/0KFQV0z3_zH_0IBWG0-Rgbr0fKs/S0-L9I-D0rq5x-0O7kY08a/q20eri5-0D3CK_0W66b0j9/dZ0Fg/uy0FeK70_h3xJ06ffl0O-BOj0Om-GY0Z0mi_0vgDh13y-bQ150YL0-1Bue/jorg.html
IP address: 185.13.32[.]45
domain name: debutedroller[.]biz

Sguil events:

Screenshot of traffic:

 

GET /JIu5D_T0_vGoG05I/0Q0/9I3c0LVO_b13KX_K0_X9EN0/YFWI-0kc6d06B6_y0/nsIP0Kxq/t0bjk-x0v-mn30f-Yga0_7J/bW0HX_xB0r-XqM08kPi-0Kun_A12TC-r0n/7jL0-bG6z10D3/I02p-9m-0qc/bL0XDA-10Ygbj0D-UWz03iea0_4Ew50Ox_Zv/0ZyN4/0KFQV0z3_zH_0IBWG0-Rgbr0fKs/S0-L9I-D0rq5x-0O7kY08a/q20eri5-0D3CK_0W66b0j9/dZ0Fg/uy0FeK70_h3xJ06ffl0O-BOj0Om-GY0Z0mi_0vgDh13y-bQ150YL0-1Bue/ewbkTzkKQ.jar
IP address: 185.13.32[.]45
domain name: debutedroller[.]biz

Sguil events: None

Screenshot of traffic:

By itself, this HTTP GET request shown above for the JAR file didn't trigger any Sguil events--at least not with the Security Onion signature set as of 2018-08-16.

 

GET /gFp12U0I/JCT/019Vq1/2sn/A0gd-je14l-X50aJZ_y0FWU-f0fqKU10m_kO1_6onz0DW/Mx0/P2zr0w_l3-t0JT_lw0uKLm0-oLzw0dIl_T0YG9Y0_aQj_E052/Vj0Te_Fl15YPa0_thps0aL/Mv0H-Zl70x-oLD0J-NOM0AB-FW128pB0SeD/90tNRa0/QUa20oZNS_0yZ-8517UJ1/0vJ/BA0N5/yN0jCz-P0CaJ-i0KEDP-0tPrh-0mVCs03-q4-P08u9l05/CXi0/f7Cw0Mcq-Z0Q/CSB0_Gp8-50ZZjD_0iXWc/06kcZ0Z8_m50gEit0C_grb-0EeOt0_Kdyw_06cBz0S/HHK/hn998MfHsk.exe?fGt6=J&h=11
IP address: 185.13.32[.]45
domain name: debutedroller[.]biz

Sguil events:

Screenshot of traffic:

 

So far, we've run through the initial infection that, according to the Snort events seen in Squil, were caused by a Redkit exploit and a Styx exploit.  More malware was downloaded, and several more alerts were generated:

See the PCAP for more information on the subsequent malware traffic.  The vulnerable Windows host I used was infected quite thoroughly.  If this had happened in a work environment, the computer should be completely wiped and the everything reinstalled.  The user should change any passwords they've used while logged in to the computer, because that information was likely scraped from the browser cache and sent to a hacker's server somewhere.

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 78.157.60[.]170 (avajpnu[.]ac[.]ir):

https://www.virustotal.com/gui/file/b77df80d5c3ff192adbc8330c4443670fac6a78d261e5b111cf73c473fbfbd54

File name:  app.jar
File size:  21.0 KB ( 20,955 bytes )

Malicious executable from 78.157.60[.]170 (avajpnu[.]ac[.]ir):

https://www.virustotal.com/gui/file/7a179d8175e20cc7cf68a1f226e99189dcb5cca04bded1d35d68932b96acf221

File name:  setup.exe
File size:  21.6 KB ( 21,620 bytes )

NOTE: This malware calls to www.tmindustriale[.]com on 62.149.140[.]220 with GET /blog/index.php to download more malware.

Java exploit from 185.13.32[.]45 (debutedroller.biz):

https://www.virustotal.com/gui/file/16e1446fa467c56d13974ec744c588bf386415dc9b85db13d092509c5a6b57b3

File name:  ewbkTzkKQ.jar
File size:  16.2 KB ( 16,223 bytes )

Malicious executable from 185.13.32[.]45 (debutedroller[.]biz):

https://www.virustotal.com/gui/file/7d037aba83610e4dd44bedd77f8f1ed32a99b6b94b960138b82c70a78f9f841e

File name:  SiNk6DK9UO.exe
File size:  27.1 KB ( 27,136 bytes )

NOTE: I tried running this in a VM (Win 7 32-bit), but it gave an error message and didn't do anything.

 

Click here to return to the main page.