2014-03-28 - FIESTA EK USES MSIE, SILVERLIGHT, AND JAVA EXPLOITS

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-03-28-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-03-28-Fiesta-EK-malware.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 192.81.171.13 - www.toonzone.net - Compromised website
• 190.123.47.198 - ilinsting.com - Redirect
• 64.202.116.124 - bgbyhn.in.ua - Fiesta EK

INFECTION CHAIN OF EVENTS

• 06:40:07 UTC - www.toonzone.net - GET /forums/adult-swim-toonami-forum/
• 06:40:08 UTC - ilinsting.com - GET /szjhmucw.js?3ad1359a5153d640
• 06:40:09 UTC - bgbyhn.in.ua - GET /hdjng94/?2
• 06:40:11 UTC - bgbyhn.in.ua - GET /hdjng94/?25b6d1b1cb76ec625b500e0d560a50040703520d5053520a0706510355090109
• 06:40:12 UTC - bgbyhn.in.ua - GET /hdjng94/?2d8a97d01a056fdd41084e5a0b0c56050752085a0d55540b07570b54080f0708;5110411
• 06:40:14 UTC - bgbyhn.in.ua - GET /hdjng94/?02bb88c62d7306c8534209590a035103050452590c5a530d0501515709000057;5
• 06:40:15 UTC - bgbyhn.in.ua - GET /hdjng94/?02bb88c62d7306c8534209590a035103050452590c5a530d0501515709000057;5;1
• 06:40:42 UTC - bgbyhn.in.ua - GET /hdjng94/?2ad5cdef3fc4ef9851110f0e515f57530757540e5706555d07525700525c065e;6
• 06:40:43 UTC - bgbyhn.in.ua - GET /hdjng94/?2ad5cdef3fc4ef9851110f0e515f57530757540e5706555d07525700525c065e;6;1
• 06:40:43 UTC - bgbyhn.in.ua - GET /hdjng94/?5998786b9c7a1ffe544b580305030457000f0903035a0659000a0a0d0600555a
• 06:40:49 UTC - bgbyhn.in.ua - GET /hdjng94/?59576b00f4cfd03e5641500c04590205000f050c0200000b000a0602075a5308;1;2
• 06:40:49 UTC - bgbyhn.in.ua - GET /hdjng94/?59576b00f4cfd03e5641500c04590205000f050c0200000b000a0602075a5308;1;2;1

 

PRELIMINARY MALWARE ANALYSIS

JAVA EXPLOIT

File name:  2014-03-28-Fiesta-EK-java-exploit.jar
File size:  4.8 KB ( 4940 bytes )
MD5 hash:  5f3165b202080512f29479ccc9367178
Detection ratio:  2 / 51
First submission:  2014-03-27 15:43:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6ffd34adddbcf280c4ae26e117e9bb0ae18a0d55ee4022248b27fe4154f57df0/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-03-28-Fiesta-EK-silverlight-exploit.xap
File size:  5.3 KB ( 5400 bytes )
MD5 hash:  233535ba2620a88386d2ca6fc06a6c30
Detection ratio:  0 / 51
First submission:  2014-03-28 06:57:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0d651cdf1248584d0ab5490f8f488c11d043c2f1daa4b378ebd1891280bfdb9a/analysis/

 

MALWARE PAYLOAD

File name:  2014-03-28-Fiesta-EK-malware-payload.exe
File size:  122.2 KB ( 125171 bytes )
MD5 hash:  dc7139e1f9bc24fde1d7b1be9f4f644c
Detection ratio:  5 / 48
First submission:  2014-03-28 06:58:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/898815a16f711d511943558423a127d030bcbe645a3c30434b3e1536bac9114d/analysis/
Malwr link:  https://malwr.com/analysis/MzFkMGU2MGMwZDgwNGY3ZmE1YjBjNzk3MjI1ZDU1YWI/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-03-28 06:40:08 UTC - 192.168.204.193:49199 - 190.123.47.198:80 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
• 2014-03-28 06:40:09 UTC - 192.168.204.193:49210 - 64.202.116.124:80 - ET CURRENT_EVENTS FiestaEK js-redirect
• 2014-03-28 06:40:09 UTC - 192.168.204.193:49210 - 64.202.116.124:80 - ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit
• 2014-03-28 06:40:09 UTC - 64.202.116.124:80 - 192.168.204.193:49210 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• 2014-03-28 06:40:11 UTC - 192.168.204.193:49222 - 64.202.116.124:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
• 2014-03-28 06:40:12 UTC - 64.202.116.124:80 - 192.168.204.193:49229 - ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit March 05 2014 DLL Naming Convention
• 2014-03-28 06:40:43 UTC - 192.168.204.193:49242 - 64.202.116.124:80 - ET POLICY Vulnerable Java Version 1.6.x Detected
• 2014-03-28 06:40:43 UTC - 192.168.204.193:49242 - 64.202.116.124:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
• 2014-03-28 06:40:43 UTC - 64.202.116.124:80 - 192.168.204.193:49242 - ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
• 2014-03-28 06:40:43 UTC - 64.202.116.124:80 - 192.168.204.193:49242 - ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names
• 2014-03-28 06:40:43 UTC - 64.202.116.124:80 - 192.168.204.193:49242 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-03-28 06:40:43 UTC - 64.202.116.124:80 - 192.168.204.193:49242 - ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
• 2014-03-28 06:40:43 UTC - 64.202.116.124:80 - 192.168.204.193:49242 - ET TROJAN Generic - 8Char.JAR Naming Algorithm

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in page from compromised web server

 

Redirect

 

Fiesa EK delivers MSIE exploit CVE-2013-2551

 

MSIE exploit CVE-2013-2551 delivers EXE payload

 

Fiesa EK delivers Silverlight exploit CVE-2013-0074

 

Silverlight exploit CVE-2013-0074 delivers EXE payload

 

Fiesa EK delivers Java exploit

 

Java exploit delivers EXE payload

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-03-28-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-03-28-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.