2013-12-26 - GOON EXPLOIT KIT TRAFFIC

NOTICE:

ASSOCIATED FILES:

 

NOTES:

The Goon Exploit Kit (EK) was discovered by the Sourcefire Vulnerability Research Team (VRT) on November 21st 2013, and signatures appeared in the EmergingThreats signature set by November 25th.

Aside from the initial Sourcefire VRT blog entry, I haven't found any analysis of Goon EK traffic.  Fortunately, I ran across some traffic that triggered Goon EK events from the EmergingThreats signature set.  Now we can take a closer look at the traffic.

As always, I used Security Onion with the default signature set to monitor the traffic.  The infected host was a Windows 7 VM running IE 10 and Java 7 update 13.

Let's look at the traffic...

 

SNORT EVENTS

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION CHAIN

The VM was infected on 26 Dec 2013, and all times below are CST.  The malware was delivered 20 seconds after viewing the compromised web page.  The callback traffic occurred 1 minute and 10 seconds after the malware was delivered.

As indicated below in the Wireshark HTTP object list, Z.jar is the Java exploit, and 150341.mp3 is the malware payload, which is actually an EXE file and not an MP3.

 

EXPLOIT TRAFFIC DETAILS

IP address: 120.138.17[.]201 port 80
domain name: thejoyfullife[.]co[.]nz  (the compromised web page)
HTTP request: GET /

Screenshot of traffic:

 

IP address: 91.197.230[.]10 port 80
domain name: itforsmallbusinesses[.]co[.]uk  (the Goon EK domain)
HTTP request: GET /object/ca/item/viewer.php?swap_lid=10AD3D0A4BB64F71DABE2B69E4

Screenshot of traffic:

 

IP address: 91.197.230[.]10 port 80
domain name: itforsmallbusinesses[.]co[.]uk
HTTP request: GET /updater/Z.xml

Sguil events:

Screenshot of traffic:

 

IP address: 91.197.230[.]10 port 80
domain name: itforsmallbusinesses[.]co[.]uk
HTTP request: GET /updater/Z.jar

Sguil events:

Screenshot of traffic:

 

IP address: 91.197.230[.]10 port 80
domain name: itforsmallbusinesses[.]co[.]uk
HTTP request: GET /updater/150341.mp3

Sguil event:

Screenshot of traffic:

I originally thought the EXE payload was a simple XOR with the ASCII string m3S4V because of TCP stream as it came over the network.  However, the binary wasn't encoded using a simple XOR of an ASCII string.  I tried the Perl script I normally use to decode these XOR-ed binaries, and it didn't work.  Fortunately, I retrieved a decoded copy of EXE payload from the AppData\Local\Temp directory.

 

POST-INFECTION TRAFFIC

The next HTTP GET request is a post-infection checkin.  It's related to the malware payload, not the exploit kit used to infect the computer.

IP address: 85.17.95[.]243 port 80
domain name: sqvpt[.]com  (the post-infection callback domain)
HTTP request: GET /bttc-usosbttcus-osbt-tcus_osbt_tcusosbttcusosbttcusosbttcusosbttcusospmrhvlvbwa-lfps-iaejqllfvm-uxct-nepmvvlhlpjosulh-bsjpwsaotwptscpyahbazsgx.php

Sguil event:

Screenshot of traffic:

What was the infection, you ask?


It's ransomware accusing you of disseminating pornography!  President Obama looks so disappointed.

 

PRELIMINARY MALWARE ANALYSIS

Java exploit used in this Goon EK traffic:

https://www.virustotal.com/gui/file/07d632a4315bf7415b03348407b2ea89e014e0bdb9ecf5527d43b8c5a1938cf5

File name:  Z.jar
File size:  13.6 KB ( 13,558 bytes )
First submitted:  2013-12-29 06:45:06 GMT

Java archive contents:

This might be an exploit for CVE-2013-2460 based on Virus Total.

 

EXE payload delivered by the Java exploit:

https://www.virustotal.com/gui/file/c6434882e55712d7810e692241d92f4e875495bc8d0e31362b358b719ef29a05

File name:  150341.mp3.decoded
File size:  19.7 KB ( 19,690 bytes )
First submitted:  2013-12-29 23:30:30 GMT

Malware icon and details:

 

Click here to return to the main page.