2014-04-08 - FIESTA EK USES A FLASH EXPLOIT

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-04-08-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-08-Fiesta-EK-flash-exploit.zip

NOTES:

• This is the first time I've noticed Fiesta EK use a Flash exploit.
• This doesn't match the Flash-assisted CVE-2014-0322 MSIE exploit traffic from Fiesta EK in the Malware Don't Need Coffee blog (link).
• My Windows VM was running Flash 12.0.0.38 and it froze after it got the Flash exploit.  I wasn't able to finish the infection chain and get a malware payload.
• I haven't yet found any other information on this.  If anyone does, please let me know, and I'll update this blog entry.

UPDATE

• My thanks to Kafeine, who identified this as CVE-2014-0497 (twitter link).
• Kafeine's blog for this CVE has been updated: http://malware.dontneedcoffee.com/2014/02/cve-2014-0497-flash-up-to-120043.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 216.18.216.78 - forums.pinstack.com - compromised website
• 190.123.47.198 - rediskins.com - redirect
• 64.202.116.123 - cdryme.in.ua - Fiesta EK

CHAIN OF EVENTS

• 03:09:24 UTC - forums.pinstack.com - GET /f343/why_do_emails_disappear_from_inbox_read-64145/
• 03:09:25 UTC - rediskins.com - GET /vtbpuxmyc.js?494ddd90f13d213d
• 03:09:26 UTC - cdryme.in.ua - GET /xctl5j6/?2
• 03:09:31 UTC - cdryme.in.ua - GET /xctl5j6/?1e9363dea090e24b42125f080408575006530c080251545e04560d0000040703;120000;38

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-04-08-Fiesta-EK-flash-exploit.swf
File size:  7.7 KB ( 7853 bytes )
MD5 hash:  eb343c450abd625d2119b98dcc0d62d7
Detection ratio:  0 / 51
First submission:  2014-04-08 05:34:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a3791ec300f8e082bd24e8c265bbf694b71d790ad90c5b3a68bcc6b762e99a68/analysis/
Malwr link:  https://malwr.com/analysis/ZWY0M2E0NDNmMzBhNDQyYTk1Y2MwNTE3ZjM0OThiYzI/

This appears to be an archive (CWS as the first 3 characters), and I could extract a larger file from it using 7-zip:

A quick check on the extracted file shows a Flash file with many more ASCII strings available:

File name:  2014-04-08-Fiesta-EK-flash-exploit-extracted.swf
File size:  9.9 KB ( 10160 bytes )
MD5 hash:  6494d37a7064fb4d767b790435eb5d6a
Detection ratio:  0 / 50
First submission:  2014-04-08 06:56:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7c8bc25d1065d5983c3df5b6311fbae575ba1c26561d7c9c4acef0e4c5ce8324/analysis/
Malwr link:  https://malwr.com/analysis/NDlmMTVkMDc1YzVkNDc3YzliNDk2MGNkZTY0MWJiNmE/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-08 03:09:25 UTC - 192.168.204.220:49174 - 190.123.47.198:80 - ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection
• 2014-04-08 03:09:26 UTC - 64.202.116.123:80 - 192.168.204.220:49189 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
• 2014-04-08 03:09:26 UTC - 192.168.204.220:49189 - 64.202.116.123:80 - ET CURRENT_EVENTS FiestaEK js-redirect
• 2014-04-08 03:09:26 UTC - 192.168.204.220:49189 - 64.202.116.123:80 - ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit
• 2014-04-08 03:09:31 UTC - 192.168.204.220:49203 - 64.202.116.123:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-04-08 03:09:31 UTC - 192.168.204.220:49203 - 64.202.116.123:80 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded javascript in the infected web page:

 

Redirect:

 

Fiesta EK landing page:

 

Fiesta EK delivers Flash exploit:

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-04-08-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-04-08-Fiesta-EK-flash-exploit.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.