2013-12-09 - WHITEHOLE EXPLOIT KIT

NOTICE:

ASSOCIATED FILE:

 

NOTES:

Reports about the Whitehole exploit kit started appearing in early February 2013:

I hadn't noticed anything on this specific exploit kit, until I ran across an example this past week.  I've identified this traffic as Whitehole from two signature matches from the Emergingthreats signature set on Security Onion.

Let's look at the traffic from a vulnerable host...

 

IDS EVENTS

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION CHAIN

 

INITIAL PATH TO INFECTION

IP address: 23.218.156[.]83 port 80
domain name: www.kffl[.]com
HTTP request: GET /gnews.php?id=884107-mlb-jeff-francoeur-had-lasik-surgery

Screenshot of traffic:

 

IP address: 23.218.156[.]83 port 80
domain name: www.kffl[.]com
HTTP request: GET /includes/scripts.js

Screenshot of traffic:

 

IP address: 88.198.0[.]59 port 80
domain name: xn--80ahbafij2anccd2q[.]xn--p1ai
HTTP request: GET /web/1.php

Screenshot of traffic:

And the infection traffic from the Whitehole domain starts from there.  Normally, I'd comb through this and present a bit more information; however, I haven't had time lately, so I've created this blog entry as is.  I've provided the pcap for anyone who wants to review it more and see all of the traffic on an infection from a suspected Whitehole exploit.  The pcap shows a Java exploit and two malicious binaries passed to the vulnerable host, and it was infected.

 

Click here to return to the main page.