2013-09-28 - ADS FROM DELIVERY.GLOBALCDNNODE[.]COM LEAD TO BLACKHOLE EXPLOIT KIT

NOTICE:

ASSOCIATED FILES:

 

NOTES:

Starting on Sunday, 22 Sep 2013, I've seen several blackhole-style IDS events at work with the same URL from delivery.globalcdnnode[.]com.  Here's an example:

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hxxp://www.santabanta[.]com/jokes/universal-jokes/?page=9
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Host: delivery.globalcdnnode[.]com
Connection: Keep-Alive

 

DETAILS

These have all been the result of ad traffic.  In the example above, the HTTP GET request to delivery.globalcdnnode[.]com actually came from ad.turn[.]com as shown in the image below:

Based on what I've seen from my other investigations, there may have been some ad-related domains in this chain of events after the original referer of www.santabanta[.]com before it got to the HTTP GET request to ad.turn[.]com

Here's what I've seen for the same URL at delivery.globalcdnnode[.]com/7f01baa99716452bda5bba0572c58be9/afr-zone.php

In each case, delivery.globalcdnnode[.]com has resolved to a different IP address:

Interestingly enough, the domain was registered as of 2013-09-22, which is the date we first started seeing blackhole-type events from this domain at work.  Here's some of the whois information for the domain globalcdnnode[.]com :

Registrant's name: Alexey Prokopenko
Organization: home
City: Ubileine
Country: Ukraine
Email: Alex1978a@bigmir[.]net
Created: 2013-09-22 11:30:05
Updated: 2013-09-22
Expires: 2014-09-22

Lets fire up a vulnerable Windows host and see what Security Onion finds on it when we visit the URL.  In this case it's ransomware (from the Nymaim family based on one of the IDS events).  If you try this on your own, your results may vary.  Links to the malware and a PCAP of this particular infection are in the "Final Notes" section at the end of this blog entry.


Ah, this particular scam again...

SNORT EVENTS

The following events were triggered on a bare metal Windows 7 64-bit SP 1 install with Java 6 update 25 and Adobe Reader 10.0.0 being monitored by a default configuration of Security Onion:

INFECTION TRAFFIC

Here are the significant domains/IP addresses involved in the initial infection:

Here are the significant domains/IP addresses for the callback traffic after the machine was infected:

Chain of events to the initial infection of Trojan downloader:

Callback for the ransomware:

Callback activity after the machine was infected with the ransomware:

INFECTION TRAFFIC DETAILS

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php
IP address: 66.84.17[.]101 port 80
domain name: delivery.globalcdnnode[.]com

Sguil event:

Screenshot of traffic:

 

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?4WC2937*H*=-5J*S!e&w_fM7RoG=(!x-4_al-_
IP address: 66.84.17[.]101 port 80
domain name: delivery.globalcdnnode[.]com

Sguil events:

Screenshot of traffic:

 

GET /7f01baa99716452bda5bba0572c58be9/afr-zone.php?m*ml1v*6x0f1)84=8dwe8dw78e&4G-!2**=w88c8dw6wdw7wbwbwd8c&R!778K*Ks6-=ww&6N!J813_**j=fvM78KV&8D0h-L!-B4_8_5*=!**a*R3l7
IP address: 66.84.17[.]101 port 80
domain name: delivery.globalcdnnode[.]com

Sguil events:

Screenshot of traffic:

 

GET /6.exe
IP address: 74.204.171[.]69 port 80
domain name: main-firewalls[.]com

Sguil events:

Screenshot of traffic:

 

GET /1.exe?c=13
IP address: 74.204.171[.]69 port 80
domain name: main-firewalls[.]com

Sguil events: none

Screenshot of traffic:

 

POST /36414/j481261/index.php
IP address: 69.88.46[.]245 port 80
domain name: none

Sguil event:

Screenshot of traffic:

 

POST /RnRfoI?YUhsYiJvWiQQphCTe=yGdUDvFgWwOKYiQh&EIGnkbNDGP=oiIFegxpmXVrKb
IP address: 81.139.129[.]74 port 35618
domain name: none

Sguil events: none

Screenshot of traffic:

 

POST /nH2zhg?HeeaFwGMpGc=tvQjVADernTbdM&JBbvwDSelGrELo=CQTwxlErbjFLtygd
IP address: 125.20.14[.]222 port 80
domain name: instotsvin[.]ru

Sguil event:

Screenshot of traffic:

 

The rest of the callback traffic is the same as the previous 3 entries:

125.20.14[.]222 port 80 - instotsvin[.]ru - POST /yPbXq46qd?cAYNLlfcMtSqcTc=INCsYcaxqHcilM&OhKLsrlBTMRkxbUM=xqerjUpaivxmoxp&jbRmaMpInTUhm=SbInVGmSheRLO
76.114.253[.]25 port 35618 - no domain name - POST /Gx292jk?emrLgequbgauCvA=CpCBAVIecbqQa
120.146.252[.]247 port 35618 - no domain name - POST /VEm2lt6uo?KyNHXjXkIulOTa=BEwwexgfNJHVOB&tTuWKKBcLtPvTBK=XmoNdIVCHUukl
120.146.252[.]247 port 35618 - no domain name - POST /EvCdwW?xtfrjayLopxYYFd=JmGVCYxPgrBhcH
120.146.252[.]247 port 35618 - no domain name - POST /x3JPge5ys?RJfkMMykmHVVh=xaLQnTpyAiXMoP&ToDmeJEJxYWmtXF
120.146.252[.]247 port 35618 - no domain name - POST /DvZ5os6hk?utwRQAHDykohxjJ=MONfcSiTxDJmF
120.146.252[.]247 port 35618 - no domain name - POST /lsqEf7?churVvcxrarcMllNj=kpifyKNGDbA&jxDjcwFOdNTUc=AhKoiYaMkjui
120.146.252[.]247 port 35618 - no domain name - POST /TeHavW8vV?nTvVlcNjPpXnh=HspQwHYfMhrnaqWB&WuOEkYPKhYgn=AeidFNJUHgxqWF&CDBbEwMiOjG
71.233.228[.]250 port 35618 - no domain name - POST /pHxXeF?GxGCLIJVkxNj=eFoiPCMswbDQm&UvGGLaqLxiPK=ThhRgNCNcxfo&RBLNGuQMhELo=GNkhpSGCtUIdI
71.233.228[.]250 port 35618 - no domain name - POST /2JRW2kn?PjdrlmmRKeTvDQj=ykqghJKSCVoeQh&PajPXuFurlglORRRP
50.63.52[.]53 port 35618 - no domain name - POST /0X2d7ri?UPMudvhCAqKjvH=DbYCEdVkgmWpi&WSDQisxyrINIVnin=fvwCRQSspxvPCmBlI&LyMslMCNdSGp

PRELIMINARY MALWARE ANALYSIS

Java exploit from 66.84.17[.]101 (delivery.golbalcdnnode[.]com):

https://www.virustotal.com/gui/file/bd7c0f52fd7d7e9b20ab9e8f13ac114243a4f09433f484f8fbc3b51c7c44650d

File name:  java-archive-from-delivery.globalcdnnode[.]com.jar
File size:  29.4 KB ( 29,404 bytes )

Malicious executable from 66.84.17[.]101 (delivery.golbalcdnnode[.]com):

https://www.virustotal.com/gui/file/5fbcce025624741d66f092f6c322cce15a73a467b0042f07becd1957c4bd1b69

File name:  malicious-executable-from-delivery.globalcdnnode[.]com.exe
File size:  126.0 KB ( 125,952 bytes )

Malicious executable from 74.204.171[.]69 (main-firewalls[.]com):

https://www.virustotal.com/gui/file/a8caf61ef1dac3a91269c76b98db41530afccbaba81c28d6b2981bbcc8c7d55d

File name:  malicious-executable-from-main-firewalls[.]com.exe
File size:  161.3 KB ( 161,280 bytes )

 

Click here to return to the main page.