2014-04-17 - FLASHPACK EK FROM 178.33.85[.]108 - GECEKIYAFETLERI[.]GEN[.]TR

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-04-17-FlashPack-EK-traffic.pcap.zip

NOTES:

• Like my previous blog entry on 2014-04-03, this is the same Cdorked/Onimiki redirection landing to Glupteba.M that's part of Operation Windigo (a PDF about it from ESET can be found here).
• This time, however, I saw an HTTP GET request for flash2014.php in the exploit traffic, which is something I hadn't noticed before.
• If the conditions on my VM were right, I would've gotten another HTTP GET request for an SWF file, then another for loadfla20014.php to deliver the payload.
• It's the CVE-2014-0497 Flash exploit.  Kafeine already found this on 2014-04-13.  Click here for the tweet or here for the blog entry.
• There's some corruption in the packet data for my pcap, so I didn't include the malware with this blog entry.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 178.33.85[.]108 - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr and 9iunfi0idsvtxk4ymdgr9j7517653b1f0d711f1242451e294eccc16d.gecekiyafetleri[.]gen[.]tr - FlashPack EK
• 109.104.94[.]2 - 109.104.94[.]2 - Glupteba CnC Checkin (on port 11754) and callback traffic (on port 31562)
• SMTP traffic to Google and other mail servers (not included with the PCAP)

INFECTION CHAIN OF EVENTS

• 04:55:37 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /index.php?n=bml5bGZvYj1uZ2l3a3FxaHVnJnRpbWU9MTQwNDE3MDQwNjM4OTg0NzcyOTgmc3Jj
  PTE3NiZzdXJsPXd3dy50b2xseXdvb2QubmV0JnNwb3J0PTgwJmtleT01NUE0RDc0NiZzdXJpPS8=
• 04:55:38 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /favicon.ico
• 04:55:38 UTC - 9iunfi0idsvtxk4ymdgr9j7517653b1f0d711f1242451e294eccc16d.gecekiyafetleri[.]gen[.]tr GET /index2.php
• 04:55:39 UTC - 9iunfi0idsvtxk4ymdgr9j7517653b1f0d711f1242451e294eccc16d.gecekiyafetleri[.]gen[.]tr GET /favicon.ico
• 04:55:40 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/allow.php
• 04:55:40 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/js/pd.php?id=3969756e6669306964737674786b34796d646772396a3735313736353
  36231663064373131663132343234353165323934656363633136642e676563656b6979616665746c6572692e67656e2e7472
• 04:55:45 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - POST /codex/georgin/json.php
• 04:55:45 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/msie.php
• 04:55:45 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/silver.php
• 04:55:45 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/javadb.php
• 04:55:45 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/flash2014.php
• 04:55:46 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/include/3baa05c5de2371822cc8e83b53d35a8d.eot
• 04:55:55 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/include/35fed408e1aba07fa4fb3ef9b3fc96d4.eot
• 04:55:55 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/loadsilver.php
• 04:56:02 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/include/e0248761e476cbeb01cc100610756cb1.jar
• 04:56:02 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /codex/georgin/include/e0248761e476cbeb01cc100610756cb1.jar
• 04:58:10 UTC - 9iunfi0idsvtxk4ymdgr9j7.gecekiyafetleri[.]gen[.]tr - GET /software.php?04170458613218096

POST-INFECTION CALLBACK TRAFFIC

• 04:56:06 UTC - 109.104.94[.]2:11754 - GET /stat?uid=100&downlink=1111&uplink=1111&id=002AFD04&statpass=bpass&version=20140412&features=30&
  guid=936433a2-a6fc-4abd-b3b7-b914eb925491&comment=20140412&p=0&s=
• 04:58:40 UTC - 195.2.253[.]38 - POST /
• 04:59:04 UTC - 174.143.144[.]69:25 - GET /
• 04:59:58 UTC - alt2.gmail-smtp-in.l.google[.]com:25 - GET /

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-04-17 04:55:37 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Cushion Redirection
• 2014-04-17 04:55:41 UTC - 178.33.85[.]108:80 - ET INFO JAVA - ClassID
• 2014-04-17 04:55:45 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2
• 2014-04-17 04:55:45 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php
• 2014-04-17 04:55:46 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot
• 2014-04-17 04:55:46 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing
• 2014-04-17 04:55:55 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Safe/CritX/FlashPack SilverLight Payload
• 2014-04-17 04:55:56 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download
• 2014-04-17 04:55:56 UTC - 178.33.85[.]108:80 - ET POLICY PE EXE or DLL Windows file download
• 2014-04-17 04:55:56 UTC - 178.33.85[.]108:80 - ET INFO EXE - Served Inline HTTP
• 2014-04-17 04:56:02 UTC - 178.33.85[.]108:80 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 2014-04-17 04:56:02 UTC - 178.33.85[.]108:80 - ET INFO JAR Size Under 30K Size - Potentially Hostile
• 2014-04-17 04:56:02 UTC - 178.33.85[.]108:80 - ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii
• 2014-04-17 04:56:02 UTC - 178.33.85[.]108:80 - ET POLICY Vulnerable Java Version 1.7.x Detected
• 2014-04-17 04:56:06 UTC - 109.104.94[.]2:11754 - ET TROJAN Win32/Glupteba CnC Checkin
• 2014-04-17 04:58:40 UTC - 195.2.253[.]38:80 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
• 2014-04-17 04:59:04 UTC - 174.143.144[.]69:25 - PADS New Asset - unknown @smtp
• 2014-04-17 04:59:58 UTC - 74.125.25[.]26:25 - PADS New Asset - http Wget/1.12 (linux (gnu))

 

SCREENSHOTS

Here's what was returned from the HTTP GET request for flash2014.php.  Unfortunately, this wasn't part of the infection chain for my VM.

 

The infection happened through a Silverlight exploit.  Below is a spam message sent from my infected VM--it's similar to the example in ESET's publication about Operation Windigo (link):

 

Click here to return to the main page.