2013-12-23 - NEUTRINO EXPLOIT KIT CAUSES RANSOMWARE INFECTION

NOTICE:

ASSOCIATED FILES:

 

NOTES:

It's been a while since I've hit any ransomware when purposely infecting a vulnerable host.  Up to this point, I hadn't run across any malware that accuses the victim of viewing child pornography.  That changed with the most recent infection from my lab environment:


The above image is from a computer infected by Reveton ransomware.  Any questionable content has been blacked out.

The infection traffic was different than what I usually see.  In this traffic, three exploit domains are involved, but only one was successful.  The infection was delivered by Neutrino exploit kit (EK).  Let's take a look at the traffic...

 

SNORT EVENTS

I used Security Onion to monitor a vulnerable VM running an unpatched version of Windows 7 SP 1 with IE 8 and Java 6 update 25.  The infection traffic generated the following events in Sguil:

 

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

NOTE The exploit traffic from aa1387852202.restofthebesta[.]com matches the Whitehole exploit pattern seen in my blog entry on 09 Dec 2013 ( link ).  This traffic results in an infection tree where one exploit was successful, but the other one was not:


 

SEQUENCE OF EVENTS

Compromised website:

Initial HTTP GET request to the first exploit domain:

All other HTTP requests to the malicious domains:

Callback traffic noted from the pcap after it was infected with the ransomware:

 

INFECTION CHAIN DETAILS

IP address: 72.9.156[.]112 port 80
domain name: brixton-beds[.]co[.]uk  (the infected web page)
HTTP request: GET /index.php

Sguil events: None

Screenshot of traffic:

 

IP address: 217.23.15[.]230 port 80
domain name: flirtlivejasmin[.]com   (the first malicious domain)
HTTP request: GET /temp/support/61erw6dfdsf/?cmpid=983299

Sguil events: None

Screenshot of traffic:

 

IP address: 217.23.15[.]230 port 80
domain name: flirtlivejasmin[.]com
HTTP requests:

Sguil events: ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure

NOTE: This is where the infection chain branches off into two new domains.  Screenshot of traffic:

 

The Whitehole exploit from aa1387852202.restofthebesta[.]com (and flirtlivejasmin[.]com) didn't work; however, the Neutrino exploit from thiteeso.borotomo[.]com did.  Here are the HTTP requests for the Neutrino exploit traffic:

 

The malicious executable was XOR-ed with the ASCII string mlvr (all lower case) when it came through after the 200 OK header:


I extracted the binary from the pcap using Wireshark and deobfuscated it with a Perl script.

 

PRELIMINARY MALWARE ANALYSIS

Whitehole Java exploit:

https://www.virustotal.com/gui/file/503b7243d86b7ae541672a080e0742c566e90acd95312f773f60968b2fa25552

File name:  7e.jar
File size:  8.1 KB ( 8,069 bytes )
First submitted:  2013-11-28 09:32:20 GMT

Java archive contents:

 

Neutrino Java exploit:

https://www.virustotal.com/gui/file/3b18e94ae4226f56f7c6d289402521da604ce76172d19c23bc9b3ac188066893

File name:  2013-12-23-java-exploit.jar
File size:  20.0 KB ( 19,690 bytes )
First submitted:  2013-12-23 15:42:34 GMT

Java archive contents:

 

Malware delivered by the Neutrino EK:

https://www.virustotal.com/gui/file/df24d322146a8a10fc87f20ff08bb1fa8972ae28666f6bca558358f66f8ab691

File name:  2013-12-23-malware.exe
File size:  114.7 KB ( 114,688 bytes )
First submitted:  2013-12-26 02:09:41 GMT
Malwr analysis:  (no longer available)

Malware icon and details:

NOTE: The malwr.com analysis of the EXE doesn't show any callback traffic.  The pcap shows callback traffic consisting of HTTP POST requests to 31.207.6[.]161 over port 80.  The third HTTP POST returned 347 KB of data (obfuscated or encrypted somehow) which was probably more malware.  In general, most of the HTTP POST requests looked like this:

Information for callback IP address:  31.207.6[.]161
IP location:  Czech Republic, Zlin - used by CEU Servers S.R.O.
NOTE:  CEU stands for Central European Servers, and this is a hosting provider (www.ceuservers.net)
Reverse IP:  1 website uses this address. (example: gambolporn[.]com)

 

Click here to return to the main page.