2013-11-15 - GONDAD EXPLOIT KIT DELIVERS GONDAD.EXE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2013-11-15-Gondad-EK-traffic.pcap.zip 326.2 kB (326,172 bytes)
- 2013-11-15-Gondad-EK-malware.zip 39.6 kB (39,588 bytes)
- 2013-11-15-malware-analysis-of-Gondad-EK-payload.pdf.zip 113.4 kB (113,357 bytes)
NOTES:
I don't know if this was a coincidence, but the name of a malware EXE stored in an infected VM's temp folder matches the name of an exploit kit that triggered on the IDS. In this case, two events triggered on a Gondad exploit kit, while the malware in the AppData\Local\Temp folder was named gondad.exe.
Screen shot from the infected VM.
Gondad is a Chinese crimeware exploit kit, and you can read more about it here or here. Let's see what the infection traffic looks like...
SNORT EVENTS
I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25. The infection traffic generated the following events in Sguil (all times GMT):
- 23:31:18 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52337 - ET CURRENT_EVENTS GondadEK Landing Sept 03 2013
- 23:31:18 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52338 - ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013
- 23:31:18 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52340 - ET INFO JAVA - ClassID?
- 23:31:29 - LOCAL_HOST port 52344 - 211.233.50[.]214 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
- 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
- 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS Possible g01pack Jar download
- 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET INFO JAVA - Java Archive Download By Vulnerable Client
- 23:31:29 - 211.233.50[.]214 port 80 - LOCAL_HOST port 52344 - ET TROJAN Java Archive sent when remote host claims to send an image
- 23:31:29 - LOCAL_HOST port 52345 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
- 23:31:30 - LOCAL_HOST port 52346 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
- 23:31:30 - LOCAL_HOST port 52347 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
- 23:31:34 - LOCAL_HOST port 52348 - 211.233.50[.]214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
- 23:31:39 - 223.130.89[.]28 port 80 - LOCAL_HOST port 52349 - ET POLICY PE EXE or DLL Windows file download
INFECTION CHAIN OF EVENTS
ASSOCIATED DOMAINS
- 84.124.94[.]27 - musculosysexo[.]com - compromised website that channeled traffic to the exploit page
- 211.233.50[.]214 - www.inkwa[.]co[.]kr - exploit page that delivered the java exploit
- 223.130.89[.]28 - www.dcart[.]co[.]kr - malware delivery domain that sent the malicious EXE
- 61.147.124[.]125 - count17.51yes[.]com - 51yes[.]com is associated with malicious activity, and this domain possibly helped set up the malware delivery
INITIAL INFECTION CHAIN
- 23:31:14 - LOCAL_HOST port 52331 - 84.124.94[.]27 port 80 (musculosysexo[.]com) - GET /
- 23:31:19 - LOCAL_HOST port 52337 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/index.html
- 23:31:20 - LOCAL_HOST port 52338 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/swfobject.js
- 23:31:20 - LOCAL_HOST port 52340 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/jpg.js
- 23:31:23 - LOCAL_HOST port 52343 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /favicon.ico
- 23:31:20 - LOCAL_HOST port 52341 - 61.147.124[.]125 port 80 (count17.51yes[.]com) - GET /click.aspx?id=170133288&logo=3
- 23:31:22 - LOCAL_HOST port 52342 - 61.147.124[.]125 port 80 (count17.51yes[.]com) - GET /sa.htm?id=170133288&refe=&location=http%3A//www.inkwa[.]co[.]kr/w3c/w/index.html&[long string]
- 23:31:31 - LOCAL_HOST port 52344 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/vekqkr2.jpg [NOTE: Java exploit]
- 23:31:31 - LOCAL_HOST port 52345 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/com.class
- 23:31:32 - LOCAL_HOST port 52346 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/edu.class
- 23:31:32 - LOCAL_HOST port 52347 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/net.class
- 23:31:36 - LOCAL_HOST port 52348 - 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr) - GET /w3c/w/org.class
- 23:31:41 - LOCAL_HOST port 52349 - 223.130.89[.]28 port 80 (www.dcart[.]co[.]kr) - GET /kcp/winlog.exe [NOTE: malicious EXE]
POST INFECTION CALLBACK TRAFFIC
- 23:31:52 - Standard query 0xd8b9 A qqq.qesff[.]com
- 23:31:52 - Standard query response 0xd8b9 A 112.218.71[.]110
- 23:31:52 - LOCAL_HOST port 52350 - 112.218.71[.]110 port 8081 - [SYN]
- 23:31:52 - 112.218.71[.]110 port 8081 - LOCAL_HOST port 52350 - [SYN, ACK]
- 23:31:52 - LOCAL_HOST port 52350 - 112.218.71[.]110 port 8081 - [ACK]
- 23:31:52 - LOCAL_HOST port 52350 - 112.218.71[.]110 port 8081 - [PSH, ACK] 488 bytes
- 23:31:52 - 112.218.71[.]110 port 8081 - LOCAL_HOST port 52350 - [ACK]
INFECTION TRAFFIC DETAILS
IP address: 84.124.94[.]27 port 80
domain name: musculosysexo[.]com
HTTP request: GET /
Sguil events: None
Screenshot of traffic:
I couldn't figure out how it got from here to the next step in the infection chain.
IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/index.html
Sguil event: ET CURRENT_EVENTS GondadEK Landing Sept 03 2013
Screenshot of traffic:
IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/swfobject.js
Sguil event: ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013
Screenshot of traffic:
IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/jpg.js
Sguil event: ET INFO JAVA - ClassID?
Screenshot of traffic:
IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/vekqkr2.jpg
Sguil events:
- ET POLICY Vulnerable Java Version 1.6.x Detected
- ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
- ET CURRENT_EVENTS Possible g01pack Jar download
- ET INFO JAVA - Java Archive Download By Vulnerable Client
- ET TROJAN Java Archive sent when remote host claims to send an image
Screenshot of traffic:
IP address: 211.233.50[.]214 port 80
domain name: www.inkwa[.]co[.]kr
HTTP request: GET /w3c/w/com.class
HTTP request: GET /w3c/w/edu.class
HTTP request: GET /w3c/w/net.class
HTTP request: GET /w3c/w/org.class
Sguil events:
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
- ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
NOTE: These HTTP GET requests all returned a response of 404 Not Found
IP address: 223.130.89[.]28 port 80
domain name: www.dcart[.]co[.]kr
HTTP request: GET /kcp/winlog.exe
Sguil event: ET POLICY PE EXE or DLL Windows file download
Screenshot of traffic:
PRELIMINARY MALWARE ANALYSIS
Java exploit from 211.233.50[.]214 port 80 (www.inkwa[.]co[.]kr):
https://www.virustotal.com/gui/file/365d664cf30a569b56f829806fe57e8b31289515b8d5425fd83e3e465cf084fa
File name: 2013-11-15-java-exploit.jar File size: 2.5 KB ( 2,463 bytes )
First submitted: 2013-11-16 01:07:06 GMT
This appears to be based on CVE-2011-3544, which is effective against Java 6 update 27 and earlier.
Java archive: contents:
Malicious binary downloaded from 223.130.89[.]28 port 80 (www.dcart[.]co[.]kr):
https://www.virustotal.com/gui/file/a71ba4a221ffb1c60c8c937548cf0ea91d2393969aaf2364454f0796f9f688d0
File name: 2013-11-15-malicious-binary.exe File size: 46.6 KB ( 46,592 bytes )
First submitted: 2013-11-15 14:49:21 GMT
Most of the AV companies listed on the Virus Total entry have identified this malware as a variant of Unruy. Unruy appears to be a Trojan downloader. We saw it call out, but no additional malware was downloaded in this case.
Click here to return to the main page.