2014-03-13 - FIESTA EK DELIVERS CLICK FRAUD TROJAN
ASSOCIATED FILES:
- ZIP of the PCAP: 2014-03-11-Fiesta-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-03-11-Fiesta-EK-malware.zip
- ZIP of the PCAP: 2014-03-13-Fiesta-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-03-13-Fiesta-EK-malware.zip
NOTES:
- The malware payload for the 2014-03-13 traffic didn't run properly on my VM, so I executed it from a physical host, where it caused click fraud traffic.
- I've included PCAP and malware files for a similar infection I came across two days prior on 2014-03-11. That one dropped additional malware that turned my VM into an Asprox-style malspam botnet host.
CHAIN OF EVENTS ON 2014-03-13
ASSOCIATED DOMAINS
- 173.255.244.72 - www.mappery.com - Compromised website
- 209.239.113.39 - ihbctxjkp.myvnc.com - Fiesta EK
- 188.165.106.64 - 188.165.106.64 - Post-infection callback
INFECTION CHAIN OF EVENTS ON 2014-03-13
- 14:53:12 UTC - 192.168.204.179:49171 - 173.255.244.72:80 - www.mappery.com - GET /maps-United-States
- 14:53:13 UTC - 192.168.204.179:49180 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /amzkrbxkzawjktflz4uktj7lxjbdjk1plvq
- 14:53:20 UTC - 192.168.204.179:49184 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?79fc0a0e56341fb544551058095a0450040151580403005e020a545253570504;5110411
- 14:53:34 UTC - 192.168.204.179:49185 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?4891ceae73f59ff05748520a5a5e555007000e0a5707515e010b0b0000535404;6
- 14:53:34 UTC - 192.168.204.179:49191 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?4891ceae73f59ff05748520a5a5e555007000e0a5707515e010b0b0000535404;6;1
- 14:53:35 UTC - 192.168.204.179:49190 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?0fd37cbca9054f395a0808080e585656035e5308030152580555560254555702
- 14:53:35 UTC - 192.168.204.179:49197 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?56907afba4aee4755a595b0b0e5a5257060e0e0b0303565900050b0154575004
- 14:53:35 UTC - 192.168.204.179:49198 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?56907afba4aee4755a595b0b0e5a5257060e0e0b0303565900050b0154575004
- 14:53:37 UTC - 192.168.204.179:49199 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?0fd37cbca9054f395a0808080e585656035e5308030152580555560254555702
- 14:53:37 UTC - 192.168.204.179:49200 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?351ac5e448ba11635c5a535a5a0e5101000d065a5757550f0606035000035205
- 14:53:37 UTC - 192.168.204.179:49201 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?351ac5e448ba11635c5a535a5a0e5101000d065a5757550f0606035000035205
- 14:53:37 UTC - 192.168.204.179:49202 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?02969a35b8fea056534a5c0d005a0700030a0e0d0d03030e05010b075a570654;1;4
- 14:53:38 UTC - 192.168.204.179:49203 - 209.239.113.39:80 - ihbctxjkp.myvnc.com - GET /1je6bsz/?02969a35b8fea056534a5c0d005a0700030a0e0d0d03030e05010b075a570654;1;4;1
POST-INFECTION CALLBACK TRAFFIC
- 14:55:35 UTC - 192.168.204.179:49210 - 188.165.106.64:443 - 188.165.106.64 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
- 15:08:35 UTC - 192.168.204.179:49213 - 188.165.106.64:443 - 188.165.106.64 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
- 15:21:36 UTC - 192.168.204.179:49214 - 188.165.106.64:443 - 188.165.106.64 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
PRELIMINARY MALWARE ANALYSIS
SILVERLIGHT EXPLOIT
File name: 2014-03-13-Fiesta-EK-silverlight-exploit.xap
File size: 5.1 KB ( 5242 bytes )
MD5 hash: e49ae100637dacd6a5b2864215bb13e5
Detection ratio: 0 / 50
First submission: 2014-03-14 04:28:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/28e68f506986a0cf7f38110f274529f78f5d1491f2b78a3f7e84a4de64bc2c39/analysis/
JAVA EXPLOIT
File name: 2014-03-13-Fiesta-EK-java-exploit.jar
File size: 7.3 KB ( 7444 bytes )
MD5 hash: 0d412aa73830d622e2aef154d4ef6b3d
Detection ratio: 5 / 50
First submission: 2014-03-13 19:27:15 UTC
VirusTotal link: https://www.virustotal.com/en/file/db17ffdda6f50170eb10973209b443aa3b3f45fb346db8d7d6088bc0a4b32d15/analysis/
MALWARE PAYLOAD
File name: 2014-03-13-Fiesta-EK-malware-payload.exe
File size: 144.0 KB ( 147456 bytes )
MD5 hash: f84d030c8efdd4feb2061b57faea8157
Detection ratio: 18 / 50
First submission: 2014-03-14 04:29:37 UTC
VirusTotal link: https://www.virustotal.com/en/file/be2c9730fcf5482e82d3bf99b895987b674163902b20b07e9b869ae25fd686e8/analysis/
Malwr link: https://malwr.com/analysis/YWQ0ZDNiYmZmZDhlNDZiNmIwZDIzOGRiZmZhZmQ0MGU/
SNORT EVENTS
SNORT EVENTS FOR INFECTION TRAFFIC (from Sguil on Security Onion)
- 2014-03-13 14:53:13 UTC - 192.168.204.179:49180 -> 209.239.113.39:80
- ET INFO HTTP Connection To DDNS Domain Myvnc.com
- 2014-03-13 14:53:14 UTC - 209.239.113.39:80 -> 192.168.204.179:49180
- ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
- 2014-03-13 14:53:20 UTC - 209.239.113.39:80 -> 192.168.204.179:49184
- ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention
- 2014-03-13 14:53:20 UTC - 192.168.204.179:49184 -> 209.239.113.39:80
- ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
- 2014-03-13 14:53:35 UTC - 192.168.204.179:49190 -> 209.239.113.39:80
- ET POLICY Vulnerable Java Version 1.7.x Detected
- ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain
- ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
- 2014-03-13 14:53:35 UTC - 209.239.113.39:80 -> 192.168.204.179:49190
- ET CURRENT_EVENTS Possible J7u21 click2play bypass
- 2014-03-13 14:53:35 UTC - 209.239.113.39:80 -> 192.168.204.179:49197
- ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
- ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names
- ET INFO JAVA - Java Archive Download By Vulnerable Client
- ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
- ET TROJAN Generic - 8Char.JAR Naming Algorithm
- 2014-03-13 14:55:35 UTC - 192.168.204.179:49210 -> 188.165.106.64:443
- ET POLICY HTTP traffic on port 443 (POST)
HIGHLIGHTS FROM THE TRAFFIC
Embedded iframe in the infected web page - www.mappery.com/maps-United-States
Fiesa EK delivers silverlight exploit -
ihbctxjkp.myvnc.com/1je6bsz/?79fc0a0e56341fb544551058095a0450040151580403005e020a545253570504;5110411
Silverlight exploit delivers EXE payload -
ihbctxjkp.myvnc.com/1je6bsz/?4891ceae73f59ff05748520a5a5e555007000e0a5707515e010b0b0000535404;6
Fiesta EK delivers Java exploit -
ihbctxjkp.myvnc.com/1je6bsz/?351ac5e448ba11635c5a535a5a0e5101000d065a5757550f0606035000035205
Java exploit delivers EXE payload -
ihbctxjkp.myvnc.com/1je6bsz/?02969a35b8fea056534a5c0d005a0700030a0e0d0d03030e05010b075a570654;1;4
Callback traffic - HTTP POST over port 443 - 188.165.106.64:443/76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388
A RELATED VM INFECTION
On 2014-03-11, I had infected a VM from the same comrpomised web site The infection generated similar traffic; however, it was a different malware payload. At first, the traffic is nearly identical:
- 2014-03-11 16:01:19 UTC - 173.255.244.72 - www.mappery.com - GET /
- 2014-03-11 16:01:21 UTC - 209.239.113.39 - dkjcupyoen.myvnc.com - exploit traffic starts
- 2014-03-11 16:10:33 UTC - 213.242.245.241 port 443 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388 (same POST as 2014-03-13 but a different IP)
However, in addition to the similar traffic noted above, I also saw the following Asprox-style traffic after the initial infection:
- 2014-03-11 16:05:49 UTC - 192.168.204.186:50220 - 91.121.197.165:8080 - 91.121.197.165:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388 (application/x-www-form-urlencoded)
- 2014-03-11 16:05:56 UTC - 192.168.204.186:50221 - 46.244.10.231:80 - get-smokers.com - GET /b/shoe/951
- 2014-03-11 16:05:56 UTC - 192.168.204.186:50222 - 109.163.239.243:80 - ecab-cap.com - GET /libw6/jquery/
- 2014-03-11 16:06:19 UTC - 192.168.204.186:50223 - 109.163.239.243:80 - ecab-cap.com - GET /libw6/jquery/
- 2014-03-11 16:06:55 UTC - 192.168.204.186:50224 - 91.121.197.165:8080 - 91.121.197.165:8080 - POST /76EB1199A9E23152CD009BEC7C1C4EA0FA43D17388 (application/x-www-form-urlencoded)
- 2014-03-11 16:08:36 UTC - 192.168.204.186:49157 - 109.163.239.243:80 - ecab-cap.com - GET /k2/soft64.dll
Shortly after the Asprox-style callback traffic, my machine started sending out Asprox-style malspam:
Here's what I saw for alerts on Security Onion on the 2014-03-11:
Here's the malware info:
2014-03-11 Silverlight exploit (same as my Fiesta EK infection on 2014-03-09):
https://www.virustotal.com/en/file/c9fb7cbbc084f64ec44cd93eb294920cf801f37bfca42d37f5d7dd0aaa83fedb/analysis/
2014-03-11 Java exploit (same as my Fiesta EK infection on 2014-03-09):
https://www.virustotal.com/en/file/3c4a475c7bf334eff3baed3adfad18dae63df8fa925630478b9eedbd94f351d5/analysis/
2014-03-11 malware payload: 01394553707483.exe
https://www.virustotal.com/en/file/a53018328fa4d5b2d6148eae6eeee4e12292cff1acea5a77d2568c1bffd89390/analysis/
2014-03-11 follow-up malware: UpdateFlashPlayer_ae6914ec.exe
https://www.virustotal.com/en/file/36531452b9d111d851c449e08f5d2a354e146270f5b2033a82727b340c8e9d1e/analysis/
FINAL NOTES
Once again, here are links for the associated files:
- ZIP of the PCAP: 2014-03-11-Fiesta-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-03-11-Fiesta-EK-malware.zip
- ZIP of the PCAP: 2014-03-13-Fiesta-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-03-13-Fiesta-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.