2013-09-07 - SWEET ORANGE EXPLOIT KIT

NOTICE:

ASSOCIATED FILES:

 

2016-09-23 UPDATE: Reviewed this blog post and realized this was an infection caused by the Sweet Orange Exploit Kit (EK).  I changed the title of this blog to reflect the EK.

NOTES:

Malicious domains have a number of sneaky tricks they can use to evade an IDS or other network monitoring.  In this week's example, I found two.  First, the java exploit and malicious executable were delivered over a non-standard port for HTTP traffic, so my default configuration of Security Onion didn't generate any alerts until after the machine was infected with the initial Trojan downloader and checked in.  Second, the Trojan downloader was encrypted over the network, so people might not recognize it when it comes through the traffic.

As usual, I set up a vulnerable machine and checked the CLEAN MX realtime database for a compromised website to find a full infection chain.  In this case, the server for wadeinterests[.]com had been compromised, and the site's index page had some malicious javascript.

Let's see where the chain of events leads to...

 

SNORT EVENTS

The following events were triggered on a bare metal Windows 7 64-bit SP 1 install with Java 6 update 25 being monitored by Security Onion:

INFECTION TRAFFIC

Here are the significant domains/IP addresses involved in this traffic:

Chain to initial infection of Trojan downloader:

The callback for more malware:

Callback activity after the machine was infected with the additional malware:

INFECTION TRAFFIC DETAILS

GET /
IP address: 70.85.214[.]226
domain name: wadeinterests[.]com

Sguil events: None

Screenshot of the traffic:


Here, you can see an iframe inserted before the HTML, causing this traffic to be run in the background.

 

GET /htm/itunes.php?desktop=1
IP address: 93.189.44[.]79 port 7761
domain name: televisionnewegg[.]biz

Sguil events: None, because the $HTTP_PORTS variable used by any applicable signatures doesn't contain port 7761.

Screenshots of traffic:


For some reason, Wireshark would display the header (shown above) but it wouldn't display the HTML that was returned.  I had to export the HTML from the PCAP and open it in a text editor to view it, and you can see the HTML below:

 


Here, you can see the beginning of the HTML file that was returned.  Note that even though there's a header, there is no actual visible text in the body.  It's all script, and the user won't notice this running in the background.  Below is the rest of the HTML:

 


The rest of the script sets up more HTTP get requests to retrieve the malicious Java archive (that contains the Java exploit) and start the Java applet.

GET /htm/IbFGkXLx.jar
IP address: 93.189.44[.]79 port 7761
domain name: televisionnewegg[.]biz

Sguil events: None, because the $HTTP_PORTS variable used by any applicable signatures doesn't contain port 7761.

Screenshot of traffic:


Here's where the Java exploit is retrieved.

 

GET /htm/applet.jnlp
IP address: 93.189.44[.]79 port 7761
domain name: televisionnewegg[.]biz

Sguil events: None, because the $HTTP_PORTS variable used by any applicable signatures doesn't contain port 7761.

Screenshot of traffic:


For some reason, this line that we'd normally see to start the Java applet returns a 404 Not Found error.  It's requested 3 times, but no luck.

 

GET /windows.php?honda=733&rate=121&editorial=4&about=536&campaign=171&star=549&soft=443&my1up=235&rates=266&reklama=-87397632
IP address: 93.189.44[.]79 port 7761
domain name: lookavoided[.]biz

Sguil events: None, because the $HTTP_PORTS variable used by any applicable signatures doesn't contain port 7761.

Screenshot of traffic:


The same IP address, but a different domain name.  The malicious payload of 55418 bytes is encrypted or obfuscated in a manner that was probably set up by the initial HTTP GET request to the previous malware domain.

 

POST /ecvis/gate.php
IP address: 185.6.80[.]153
domain name: daybriefimpermanent[.]biz

Sguil event:

Screenshot of traffic:


This is the initial check in of the Trojan downloader after it's installed on the computer.

 

GET /soft44.exe
IP address: 185.6.80[.]153
domain name: daybriefimpermanent[.]biz

Sguil events:

Screenshot of traffic:


This is the second piece of malware that was downloaded, which triggered the two events shown above.  This is a fake anti-virus program (see the preliminary malware analysis below).

 

GET /soft33.exe
IP address: 185.6.80[.]153
domain name: daybriefimpermanent[.]biz

Sguil events: None

Screenshots of traffic:


For some reason, this piece of malware didn't trigger any separate events.  This is a ZeroAccess rootkit (see the preliminary malware analysis below).

 

GET /api/dom/no_respond/?ts=dd8b41ba27eebba9022704f908698ef488b5755a&token=sysdocx1&group=asp&nid=25AC56D0&lid=0072&ver=0072&affid=51800&dx=0
IP address: 219.235.1[.]127
domain name: none

Sguil event:

Screenshot of traffic:


This is the fake anti-virus program calling back to a Chinese IP address.   We see more of this, but without the user agent that triggered the Snort event shown above.

 

UDP traffic over port 53 that's not a DNS request
IP address: 194.165.17[.]4
domain name: not applicable

Sguil event:

Screenshot of traffic:


Wireshark tries to decode this UDP traffic as a DNS request because it's on port 53.  That's why it shows up as a malformed packet.

 

GET /app/geoip.js
IP address: 108.168.255[.]244
domain name: j.maxmind[.]com

Sguil event:

Screenshot of traffic:


This is the malware on the computer getting the location (city/state/ZIPcode) of the infected host.  I've blanked out some of the data in the PCAP of this traffic.  Normally, most or all of the fields would be filled.

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 93.189.44[.]79 (televisionnewegg[.]biz):

https://www.virustotal.com/gui/file/5d7dacbc7d998d213267fb8e4364d072681015cec1562728938a82801eaa5966

File name:  IbFGkXLx.jar
File size:  35.5 KB ( 35,531 bytes )

NOTE: I couldn't decode the first piece of malware, the obfuscated/encrypted binary from 93.189.44[.]79, that contained the Trojan downloader.

First malicious executable from 185.6.80[.]153 (daybriefimpermanent[.]biz):

https://www.virustotal.com/gui/file/3ed14aeab55467f80bf2b0bd6ff75c501537c1bbd018ba5366bcea006a260457

File name:  soft44.exe
File size:  513.5 KB ( 513,536 bytes )
NOTE:  This malware is a fake anti-virus program.

Second malicious executable from 185.6.80[.]153 (daybriefimpermanent[.]biz):

https://www.virustotal.com/gui/file/7b2caffb1379cf9bea8dfc89938f63520762629b63b9abdd8196d12eaafd8cfe

File name:  soft33.exe
File size:  171.0 KB ( 171,008 bytes )
NOTE:  NOTE: This malware is the ZeroAccess rootkit.

 

Click here to return to the main page.