2013-11-15 - GONDAD EXPLOIT KIT DELIVERS GONDAD.EXE

NOTICE:

ASSOCIATED FILES:

 

NOTES:

I don't know if this was a coincidence, but the name of a malware EXE stored in an infected VM's temp folder matches the name of an exploit kit that triggered on the IDS.  In this case, two events triggered on a Gondad exploit kit, while the malware in the AppData\Local\Temp folder was named gondad.exe.


Screen shot from the infected VM.

Gondad is a Chinese crimeware exploit kit, and you can read more about it here or here.  Let's see what the infection traffic looks like...

SNORT EVENTS

 

I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25.  The infection traffic generated the following events in Sguil (all times GMT):

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION CHAIN

POST INFECTION CALLBACK TRAFFIC

 

INFECTION TRAFFIC DETAILS

IP address: 84.124.94[.]27 port 80
domain name: musculosysexo[.]com
HTTP request: GET /

Sguil events: None

Screenshot of traffic:


I couldn't figure out how it got from here to the next step in the infection chain.

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/index.html

Sguil event: ET CURRENT_EVENTS GondadEK Landing Sept 03 2013

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/swfobject.js

Sguil event: ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/jpg.js

Sguil event: ET INFO JAVA - ClassID?

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/vekqkr2.jpg

Sguil events:

Screenshot of traffic:

 

IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/com.class
HTTP request: GET /w3c/w/edu.class
HTTP request: GET /w3c/w/net.class
HTTP request: GET /w3c/w/org.class

Sguil events:

NOTE: These HTTP GET requests all returned a response of 404 Not Found

 

IP address: 223.130.89[.]28 port 80
domain name: www.dcart[.]co[.]kr
HTTP request: GET /kcp/winlog.exe

Sguil event: ET POLICY PE EXE or DLL Windows file download

Screenshot of traffic:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr):

https://www.virustotal.com/gui/file/365d664cf30a569b56f829806fe57e8b31289515b8d5425fd83e3e465cf084fa

File name:  2013-11-15-java-exploit.jar
File size:  2.5 KB ( 2,463 bytes )

First submitted:  2013-11-16 01:07:06 GMT
This appears to be based on CVE-2011-3544, which is effective against Java 6 update 27 and earlier.

Java archive: contents:

Malicious binary downloaded from 223.130.89[.]28 port 80 (www.dcart[.]co[.]kr):

https://www.virustotal.com/gui/file/a71ba4a221ffb1c60c8c937548cf0ea91d2393969aaf2364454f0796f9f688d0

File name:  2013-11-15-malicious-binary.exe
File size:  46.6 KB ( 46,592 bytes )
First submitted:  2013-11-15 14:49:21 GMT

Most of the AV companies listed on the Virus Total entry have identified this malware as a variant of Unruy.  Unruy appears to be a Trojan downloader.  We saw it call out, but no additional malware was downloaded in this case.

 

Click here to return to the main page.