2014-03-22 - FIESTA EK - COMPARING HOW SILVERLIGHT AND JAVA DELIVER THE SAME MALWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-03-22-Fiesta-EK-both-pcaps.zip
• 2014-03-22-Fiesta-EK-malware.zip

NOTES:

The Silverlight exploit sent its malware payload through one HTTP GET request that returned an octect-stream of 1,643,332 bytes.  This is somewhat large for a malware payload, and I couldn't an artifact of that size on the infected VM.  To compare, I infected a VM from the same referer/Fiesta EK using only Java.

The Java exploit sent its malware payload through two HTTP GET requests.  These HTTP GET requests returned two octet-streams: one at 729,856 bytes and the other at 913,665.  That's a total of 1,643,521 bytes--less that 200 bytes difference from the Silverlight payload.  I saw the same artifacts on both infected VMs, so I'm assuming the Silverlight exploit bundled the two files in a single 1.6 MB octet-stream.

Places like Malware Don't Need Coffee show larger-than-normal payload sizes (1 MB or more) sent by the Silverlight exploit, but I didn't realize this single octet-stream ended up as two different EXE files.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 184.168.64[.]228 - www.quickr[.]org - comrpomised website - GET /Discover_ATM_1655_SOUTH_29TH_STREET_Philadelphia_PA_19145
• 209.239.113[.]37 - nwntmtvjs.hopto[.]org and kzuvgi.hopto[.]org - Fiesta EK
• 79.142.66[.]240 - report.my555m5g55a5555[.]com and report.ei17q3wsku1m9gmy9ce[.]com - post-infection callback traffic

FIESTA EK TRAFFIC USING SILVERLIGHT AS AN EXPLOIT

• 03:01:38 UTC - nwntmtvjs.hopto[.]org - GET /3fkthxp4g3gqgpi6hqdlzxuuxmqtgez93n4jf4
• 03:01:45 UTC - nwntmtvjs.hopto[.]org - GET /rmvk30g/?0cf322e68fd40caa430f100800095107005a5007090607060b5655015154010703;5110411
• 03:01:49 UTC - nwntmtvjs.hopto[.]org - GET /rmvk30g/?1582191b894778355245530903020553010c0e060a0d53520a000b00525f555302;6
• 03:01:53 UTC - nwntmtvjs.hopto[.]org - GET /rmvk30g/?1582191b894778355245530903020553010c0e060a0d53520a000b00525f555302;6;1

FIESTA EK - SILVERLIGHT EXPLOIT - POST-INFECTION CALLBACK

• 03:01:59 UTC - report.my555m5g55a5555[.]com - GET /?79u1mYW20=%96%9C%D1%A1%D6%AAd%A0%AE%98f%9B%9Dl%CCj%[long string]

FIESTA EK TRAFFIC USING JAVA AS AN EXPLOIT

• 03:33:31 UTC - kzuvgi.hopto[.]org - GET /3fkthxp4g3gqgpi6hqdlzxuuxmqtgez93n4jf4
• 03:33:56 UTC - kzuvgi.hopto[.]org - GET /rmvk30g/?3d8173a8c41fc917590a540a0508550902520c000c07030808510b035303550050
• 03:33:57 UTC - kzuvgi.hopto[.]org - GET /rmvk30g/?04d6365d1f0e55455f5b060d010d015501025007080257540b0157045706010505
• 03:33:57 UTC - kzuvgi.hopto[.]org - GET /rmvk30g/?04d6365d1f0e55455f5b060d010d015501025007080257540b0157045706010505
• 03:33:57 UTC - kzuvgi.hopto[.]org - GET /rmvk30g/?08b665e319034e315340070d040e5102010e56070d0107030b0d51045205510b53;1;4
• 03:33:59 UTC - kzuvgi.hopto[.]org - GET /rmvk30g/?3143fd3219034e3150495108545f0703020700025d505102080407010254070a50;2;4
• 03:34:02 UTC - kzuvgi.hopto[.]org - GET /rmvk30g/?3143fd3219034e3150495108545f0703020700025d505102080407010254070a50;2;4;1

FIESTA EK - JAVA EXPLOIT - POST-INFECTION CALLBACK

• 03:34:02 UTC - report.ei17q3wsku1m9gmy9ce[.]com - GET /?55wSK5520=%96%9E%A9%A1%D7%A8g%9A%CAg%99%D6%97%DA%[long string]

NOTE: In the First example, a Java exploit was sent after the Silverlight traffic; however, no malware payload was sent using Java.  I did not include those additional HTTP GET requests in the pcap for the Silverlight traffic.

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-03-22-Fiesta-EK-silverlight-exploit.xap
File size:  5,265 bytes
MD5 hash:  eb74945c840dfd74a171639f379777aa
Detection ratio:  3 / 51
First submission:  2014-03-19 15:32:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/bed60e3715e542881d5e80784bdcbb4945a6a8375a63cbde6436a2782593a87c/analysis/

 

JAVA EXPLOIT

File name:  2014-03-22-Fiesta-EK-java-exploit.jar
File size:  7,462 bytes
MD5 hash:  d529b2a500b94641fa89157f14d46608
Detection ratio:  4 / 51
First submission:  2014-03-22 03:59:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4d56c4a8ddf5bed48b6fc8641f87ff356e272d52c2516d4dfb00575f64e3e0c/analysis/

 

MALWARE PAYLOAD PART 1

File name:  2014-03-22-Fiesta-EK-first-malware-payload.exe
File size:  729,600 bytes
MD5 hash:  2233f453d8a120321a3dca0e3df25420
Detection ratio:  9 / 51
First submission:  2014-03-22 04:00:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2629ea9fe35e2ff0dde9d018c66e5f0355068a958f827b74ec3fb067ea751383/analysis/

 

MALWARE PAYLOAD PART 2

File name:  2014-03-22-Fiesta-EK-second-malware-payload.exe
File size:  913,409 bytes
MD5 hash:  bbab2ae7c44d8c024928d2f978d5b991
Detection ratio:  2 / 51
First submission:  2014-03-22 04:01:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3aabe8afb7e974cb4b5ec89c9aa87e3f1841957146da2c8b620314b575f89c16/analysis/

 

ALERTS

ALERTS FOR THE FIESTA EK SILVERLIGHT TRAFFIC (from Sguil on Security Onion)

• ET INFO HTTP Connection To DDNS Domain Hopto.org
• ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
• ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention
• ET TROJAN Simda.C Checkin

 

ALERTS

ALERTS FOR THE FIESTA EK JAVA TRAFFIC (from Sguil on Security Onion)

• ET INFO HTTP Connection To DDNS Domain Hopto.org
• ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• ET POLICY Vulnerable Java Version 1.7.x Detected
• ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain
• ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
• ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
• ET CURRENT_EVENTS Possible J7u21 click2play bypass
• ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
• ET INFO JAVA - Java Archive Download By Vulnerable Client
• ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
• ET TROJAN Generic - 8Char.JAR Naming Algorithm
• ET TROJAN Simda.C Checkin

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe in page from the infected web server

From the first PCAP with the Silverlight exploit

From the second PCAP with the Java exploit

 

Fiesta EK Silverlight exploit delivers malware payload in single HTTP GET request

 

Fiesta EK Java exploit delivers same malware payload in two different HTTP GET requests

 

Click here to return to the main page.