2013-12-09 - WHITEHOLE EXPLOIT KIT

ASSOCIATED FILE:

• ZIP of the PCAP:  2013-12-09-Whitehole-EK-traffic.pcap.zip

 

NOTES:

Reports about the Whitehole exploit kit started appearing in early February 2013:

• http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/
• http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html
• http://www.pcworld.com/article/2027596/new-whitehole-exploit-toolkit-emerges-on-the-underground-market.html

I hadn't noticed anything on this specific exploit, until I ran across an example this past week.  I've identified this traffic as Whitehole from two signature matches from the Emergingthreats signature set on Security Onion.

Let's look at the traffic from a vulnerable host...

 

SNORT EVENTS

• 217.23.15.220 port 80 - local_host port 49225 - ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64
• 217.23.15.220 port 80 - local_host port 49225 - ET CURRENT_EVENTS WhiteHole Exploit Landing Page
• 217.23.15.220 port 80 - local_host port 49225 - ET INFO JAVA - ClassID
• local_host port 49259 - 217.23.15.220 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
• local_host port 49259 - 217.23.15.220 port 80 - ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request
• 217.23.15.220 port 80 - local_host port 49259 - ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain
• 217.23.15.220 port 80 - local_host port 49259 - ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager
• 217.23.15.220 port 80 - local_host port 49259 - ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits
• 217.23.15.220 port 80 - local_host port 49261 - ET POLICY PE EXE or DLL Windows file download
• 217.23.15.220 port 80 - local_host port 49261 - ET POLICY Java EXE Download
• 217.23.15.220 port 80 - local_host port 49261 - ET MALWARE Possible Windows executable sent when remote host claims to send html content
• 217.23.15.220 port 80 - local_host port 49261 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 23.218.156.83 - www.kffl.com - Web page from comrpomised website
• 88.198.0.59 - xn--80ahbafij2anccd2q.xn--p1ai - domain that redirected to the Whitehole exploit
• 217.23.15.220 - aa1386641701.ponytherabbit.biz - Whitehole exploit domain that delivered the exploit and malware
• 50.22.134.3 - www.dana123.com - associated domain working in conjuction with the Whitehole exploit
• 108.168.246.235 - www.rightmedia.com - refered from the Whitehole exploit domain and redirects to HTTPS

INITIAL INFECTION CHAIN

• 23.218.156.83 (www.kffl.com) - GET /gnews.php?id=884107-mlb-jeff-francoeur-had-lasik-surgery
• 23.218.156.83 (www.kffl.com) - GET /includes/scripts.js
• 88.198.0.59 (xn--80ahbafij2anccd2q.xn--p1ai) - GET /web/1.php
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/30f29ae/?cmpid=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/dj.js
• 50.22.134.3 (www.dana123.com) - GET /index.php?ref=mediaclickinc
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/931b3/?java=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /2/ex1.php?cmpid=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /2/
• 108.168.246.235 (www.rightmedia.com) - GET /
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/7e.jar?java=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/30f29ae/app.jnlp
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/7e.jar?java=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/30f29ae/app.jnlp
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/30f29ae/app.jnlp
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/7e.jar?java=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/7e.jar?java=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/-148529710/?page=333333
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/333333.exe
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/support/-148529710/?page=33333302
• 217.23.15.220 (aa1386641701.ponytherabbit.biz) - GET /temp/min.exe

 

INITIAL PATH TO INFECTION

IP address: 23.218.156.83 port 80
domain name: www.kffl.com
HTTP request: GET /gnews.php?id=884107-mlb-jeff-francoeur-had-lasik-surgery

Screenshot of traffic:

 

IP address: 23.218.156.83 port 80
domain name: www.kffl.com
HTTP request: GET /includes/scripts.js

Screenshot of traffic:

 

IP address: 88.198.0.59 port 80
domain name: xn--80ahbafij2anccd2q.xn--p1ai
HTTP request: GET /web/1.php

Screenshot of traffic:

And the infection traffic from the Whitehole domain starts from there.  Normally, I'd comb through this and present a bit more information; however, I haven't had time lately, so I've created this blog entry as is.  I've provided the PCAP for anyone who wants to review it more and see all of the traffic on an infection from a suspected Whitehole exploit.  The PCAP shows a Java exploit and two malicious binaries passed to the vulnerable host, and it was infected.

 

FINAL NOTES

Once again, here is the associated file:

• ZIP of the PCAP:  2013-12-09-Whitehole-EK-traffic.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.