Malware-Traffic-Analysis.net - 2014-03-09 - Two examples of Fiesta EK traffic

2014-03-09 - TWO EXAMPLES OF FIESTA EK TRAFFIC - ONE FAILED, THE OTHER SUCCESSFUL

ASSOCIATED FILES:

ZIP of the PCAPS: 2014-03-09-Fiesta-EK-pcaps.zip
ZIP file of the malware: 2014-03-09-Fiesta-EK-malware.zip

NOTES:

With a few exceptions, the Fiesta EK traffic I've seen for the past several months generally falls into two categories:

Forum website -> redirect -> then to a Fiesta EK domain ending in .in.ua
No redirect--goes from compromised site to a Fiesta EK domain ending in .hopto.org

In the past week or so, I haven't found many examples of Fiesta EK to in.ua domains. Even with the few leads I've gotten, I haven't been able to infect a VM. I've had more success with Fiesta EK traffic to hopto.org.

This blog entry shows examples I've seen lately--failed Fiesta EK infection chains to in.ua and successful ones to hopto.org.

UNSUCCESSFUL FIESTA EK INFECTION CHAIN TO [RANDOM PREFIX].IN.UA

ASSOCIATED DOMAINS

208.43.210.234 - www.electriciantalk.com - Compromised website
190.123.47.198 - teleleksi.com - Redirect
x64.202.116.124 - azxcvb.in.ua - Fiesta EK

CHAIN OF EVENTS

15:56:52 UTC - 192.168.204.180:49354 - 208.43.210.234:80 - www.electriciantalk.com - GET /f30/explain-120-208v-7538/
15:56:53 UTC - 192.168.204.180:49366 - 190.123.47.198:80 - teleleksi.com - GET /oqsikjzyh.js?7bd5df4620529f4d
15:56:54 UTC - 192.168.204.180:49373 - 64.202.116.124:80 - azxcvb.in.ua - GET /9wmv8zr/?1
15:56:54 UTC - 192.168.204.180:49406 - 64.202.116.124:80 - azxcvb.in.ua - GET /9wmv8zr/%C2%80

EMERGING THREATS SNORT SIGNATURE HITS (from Security Onion)

2014-03-09 15:56:53 UTC - 192.168.204.180:49366 -> 190.123.47.198:80
- ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection

2014-03-09 15:56:54 UTC - 192.168.204.180:49373 -> 64.202.116.124:80
- ET CURRENT_EVENTS FiestaEK js-redirect
- ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit

2014-03-09 15:56:54 UTC - 64.202.116.124:80 -> 192.168.204.180:49373
- ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013

HIGHIGHTS FROM THE TRAFFIC

Javascript on page from infected web server - www.electriciantalk.com/f30/explain-120-208v-7538/

Redirect to the Fiesta EK domain - teleleksi.com/oqsikjzyh.js?7bd5df4620529f4d

Traffic made it to the Fiesta EK landing page; however, the next HTTP GET request returned a 404 Not Found, and no further EK traffic was noted.

SUCCESSFUL FIESTA EK INFECTION CHAIN TO [RANDOM PREFIX].HOPTO.ORG

ASSOCIATED DOMAINS

80.237.190.38 - www.disclose.tv - Compromised website
64.202.116.124 - dllumfqd.hopto.org - Fiesta EK

POST-INFECTION CALLBACK DOMAINS:

50.2.98.81 - aaukqiooaseseuke.org
50.7.74.26 - 50.7.74.26
212.117.180.190 - searchwalker.com
216.21.215.30 - koonzie.com
204.137.28.195 - kc.mv.bidsystem.com and v10.xmlsearch.adkapi.net

INFECTION CHAIN OF EVENTS

16:09:56 UTC - 192.168.204.181:49172 - 80.237.190.38:80 - www.disclose.tv - GET /action/viewvideo/168328/Power_in_Kiev_has_nothing_to_do_with_democracy_Vitaly_Churkin__RT/
16:09:59 UTC - 192.168.204.181:49186 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/counter.php?id=2
16:09:59 UTC - 192.168.204.181:49188 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?2
16:10:05 UTC - 192.168.204.181:49238 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?75692c83f62e483f4459400200580a0501040f02060108080206075a0b51080b;5110411
16:10:17 UTC - 192.168.204.181:49284 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?5ee813b8091f18b35f0b09030308500e03545c03055152030056545b08015200
16:10:17 UTC - 192.168.204.181:49239 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?1dcf2f3dd3efc87a5214085d005d015207555a5d0604035f045752050b54035c;6
16:10:18 UTC - 192.168.204.181:49293 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?1dcf2f3dd3efc87a5214085d005d015207555a5d0604035f045752050b54035c;6;1
16:10:18 UTC - 192.168.204.181:49291 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?12668e96ba51ad8e5e5d540d0a5e0b0007030f0d0c07090d0401075501570857
16:10:18 UTC - 192.168.204.181:49292 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?12668e96ba51ad8e5e5d540d0a5e0b0007030f0d0c07090d0401075501570857
16:10:23 UTC - 192.168.204.181:49301 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?76db085318e4f7dc544e01590203070501075d59045a050802055501090a050b;1;4
16:10:24 UTC - 192.168.204.181:49303 - 64.202.116.124:80 - dllumfqd.hopto.org - GET /y2x3wz6/?76db085318e4f7dc544e01590203070501075d59045a050802055501090a050b;1;4;1

POST-INFECTION CALLBACK TRAFFIC

NOTE: The malware payload didn't properly run in the VM, so I moved it to a physical host and ran it from the AppData\Local\Temp folder.

18:31:45 UTC - 192.168.1.104:49158 - 74.125.227.116:80 - www.google.com - GET /
18:31:45 UTC - 192.168.1.104:49159 - 50.2.98.81:80 - aaukqiooaseseuke.org - POST /
18:31:50 UTC - 192.168.1.104:49160 - 74.125.227.116:80 - www.google.com - GET /
18:32:09 UTC - 192.168.1.104:49161 - 212.117.180.190:80 - searchwalker.com - GET /
18:32:15 UTC - 192.168.1.104:49162 - 212.117.180.190:80 - searchwalker.com - GET /search.png
18:32:28 UTC - 192.168.1.104:49163 - 50.7.74.26:80 - 50.7.74.26 - GET /c/1394389930224S2894S378S0
18:32:29 UTC - 192.168.1.104:49164 - 204.137.28.195:80 - kc.mv.bidsystem.com - GET /bin/findwhat.dll?clickthrough&y=79750&x=lXxJqZV5SbCqGpV4CzRfJiNXIzz0ohkUUiiJViCEM
2CbHcK3yGyNvRqznpohqoDbMp63HZUCaqsGGtmNBn68NKg1NvmeToU3He71NsNCOnr1V64ixlwpvSvw3;PHHV0TdibxkWOgvBqeAP6pxYxXEQrZKaabndVpKVNCFj8zMC3N3Fpbq;;
nKhRHA;wYkmqABGXTZYk6KfLpEoxCKSBUK3bnDLlenUAiJ:ppEbl2CbJ3zHS9VFYTznzTqALHKJVCyD8iJBaNJWFZdTogJrqNDMOYOQw3VeU5BvP1ALcCa;S6GjPgZbJnZxb6nf7YTlo
Hnr0AF2GNvSb6VjkHTlwW$7N
18:32:34 UTC - 192.168.1.104:49165 - 204.137.28.195:80 - v10.xmlsearch.adkapi.net - GET /ppc/click-audit.js
18:32:34 UTC - 192.168.1.104:49166 - 204.137.28.195:80 - v10.xmlsearch.adkapi.net - GET /ppc/swfobject.js
18:32:42 UTC - 192.168.1.104:49167 - 204.137.28.195:80 - kc.mv.bidsystem.com - GET /ppc/CacheFlashCheck.aspx?op=SET&k=CFC_1996D15C-B44F-4977-9589-1AB92BA0EF07&v=1&ex=90
18:32:44 UTC - 192.168.1.104:49168 - 216.21.215.30:80 - koonzie.com - GET /
NOTE: This traffic pattern periodically itself repeats every few minutes. See the associated PCAP for details.

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name: 2014-03-09-Fiesta-EK-java-exploit.jar
File size: 7.3 KB ( 7440 bytes )
MD5 hash: 8ac637b3170492da2dd35148b1b85b03
Detection ratio: 0 / 50
First submission: 2014-03-09 18:16:51 UTC
VirusTotal link: https://www.virustotal.com/en/file/3c4a475c7bf334eff3baed3adfad18dae63df8fa925630478b9eedbd94f351d5/analysis/

SILVERLIGHT EXPLOIT

File name: 2014-03-09-Fiesta-EK-silverlight-exploit.xap
File size: 5.0 KB ( 5109 bytes )
MD5 hash: 57fa05107118a89590449dc55d715bc2
Detection ratio: 6 / 49
First submission: 2014-03-09 18:17:05 UTC
VirusTotal link: https://www.virustotal.com/en/file/c9fb7cbbc084f64ec44cd93eb294920cf801f37bfca42d37f5d7dd0aaa83fedb/analysis/

MALWARE PAYLOAD

Saved to the user's AppData\Local\Temp folder as: 01394381425253.exe
File name: 2014-03-09-Fiesta-EK-malware-payload.exe
File size: 108.0 KB ( 110592 bytes )
MD5 hash: 114592e7c29d7828c8295a364ef0488a
Detection ratio: 5 / 50
First submission: 2014-03-09 18:17:25 UTC
VirusTotal link: https://www.virustotal.com/en/file/f18d369dafce181cd083ca56eefb6ff8c77a6ca8634156c4fa4bb4831403e936/analysis/
Malwr link: https://malwr.com/analysis/OWU5OGMzNTY3OTcxNGUwYmJlOGQ3NTQ2ZjNmNTcyYTY/

SNORT EVENTS

SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)

2014-03-09 16:09:58 UTC - 80.237.190.38:80 -> 192.168.204.181:49172
- ET CURRENT_EVENTS Injection - var j=0

2014-03-09 16:09:59 UTC - 192.168.204.181:49188 -> 64.202.116.124:80
- ET CURRENT_EVENTS FiestaEK js-redirect
- ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit

2014-03-09 16:10:05 UTC - 192.168.204.181:49238 -> 64.202.116.124:80
- ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex

2014-03-09 16:10:06 UTC - 64.202.116.124:80 -> 192.168.204.181:49238
- ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention

2014-03-09 16:10:17 UTC - 192.168.204.181:49284 -> 64.202.116.124:80
- ET POLICY Vulnerable Java Version 1.7.x Detected
- ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain
- ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii

2014-03-09 16:10:17 UTC - 64.202.116.124:80 -> 192.168.204.181:49284
- ET CURRENT_EVENTS Possible J7u21 click2play bypass

2014-03-09 16:10:18 UTC - 64.202.116.124:80 -> 192.168.204.181:49291
- ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
- ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names
- ET INFO JAVA - Java Archive Download By Vulnerable Client
- ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
- ET TROJAN Generic - 8Char.JAR Naming Algorithm

HIGHLIGHTS FROM THE TRAFFIC

Javascript on page from infected web server that generates reqeust to Fiesta EK domain:
www.disclose.tv/action/viewvideo/168328/Power_in_Kiev_has_nothing_to_do_with_democracy_Vitaly_Churkin__RT

Fiesta EK delivers Silverlight exploit:
dllumfqd.hopto.org/y2x3wz6/?75692c83f62e483f4459400200580a0501040f02060108080206075a0b51080b;5110411

Fiesta EK delivers Java exploit:
dllumfqd.hopto.org/y2x3wz6/?12668e96ba51ad8e5e5d540d0a5e0b0007030f0d0c07090d0401075501570857

Java exploit delivers EXE payload
dllumfqd.hopto.org/y2x3wz6/?76db085318e4f7dc544e01590203070501075d59045a050802055501090a050b;1;4

This same payload was also delivered separately by an MSIE exploit.

Malware does an HTTP GET request to www.google.com to check for connectivity:

Malware does an HTTP POST to callback domain aaukqiooaseseuke.org:

More callback traffic by the malware... Notice the user agent indicates this is FireFox version 17; however, no Firefox browser was installed on this host:

FINAL NOTES

Once again, here are links for the associated files:

ZIP of the PCAPS: 2014-03-09-Fiesta-EK-pcaps.zip
ZIP file of the malware: 2014-03-09-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.