2014-04-20 - SWEET ORANGE EK FROM 195.16.88[.]159 PORT 9290 - FLASH AND JAVA EXPLOITS

NOTICE:

ASSOCIATED FILES:

NOTES:

UPDATE

Kafeine has confirmed the Flash exploit in this example is, in fact, CVE-2014-0497

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

COMPROMISED WEB SITE AND REDIRECTS (all times UTC):

SWEET ORANGE EXPLOIT KIT:

 

PRELIMINARY MALWARE ANALYSIS

FLASH FILE

File name:  2014-04-20-Sweet-Orange-EK-flash-file.swf
File size:  9,242 bytes
MD5 hash:  656b05763d88e086f9ce17769a7a78d8
Detection ratio:  0 / 49
First submission:  2014-04-20 22:47:39 UTC
VirusTotal link:  https://www.virustotal.com/en/file/738672eb554c539040ebe892dcb3efe9e5dd00f4e99ef9dbbec8650d0ac02d74/analysis/

 

FIRST JAVA EXPLOIT

File name:  2014-04-20-Sweet-Orange-EK-java-exploit-1.jar
File size:  89,941 bytes
MD5 hash:  6655a961b7cefafe1e696e602f3a1629
Detection ratio:  1 / 50
First submission:  2014-04-19 20:11:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d95e03dbc44e57419a7f2fea35fd04944ab1a567185db333aeb6d4e181dfbad1/analysis/

 

SECOND JAVA EXPLOIT

File name:  2014-04-20-Sweet-Orange-EK-java-exploit-2.jar
File size:  87,937 bytes
MD5 hash:  bb16b335054ca5e324b0926dafff9ad7
Detection ratio:  2 / 51
First submission:  2014-04-19 20:11:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/65933c934783030dc86f38f350c360e74ddd1f1af2c8cb528a9c37997ac12acd/analysis/

 

MALWARE PAYLOAD

File name:  2014-04-20-Sweet-Orange-EK-malware-payload.exe
File size:  236,096 bytes
MD5 hash:  2a0b477dace5fd141a0822eeeb3a2948
Detection ratio:  16 / 46
First submission:  2014-04-20 03:55:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7463ce99a724cf07937a70a087fdb524a799a5471f5d1223239ecbebfe47aff6/analysis/

 

ALERTS

As mentioned earlier, because the HTTP exploit traffic happened over TCP port 9290, no events showed up from Sguil on Security Onion.  However, I used tcprewrite to change port 9290 to 80 in the pcap then replayed the file with tcpreplay on Security Onion.

sudo tcprewrite --portmap=9290:80 --infile=currentfile.pcap --outfile=newfile.pcap
sudo tcpreplay --intf1=eth0 newfile.pcap

The modified pcap generated the following Sweet Orange EK events:

  • ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013
  • ET POLICY Vulnerable Java Version 1.7.x Detected
  • ET INFO JAVA - Java Archive Download By Vulnerable Client
  • ET CURRENT_EVENTS Possible Sweet Orange payload Request
  • ET CURRENT_EVENTS Sweet Orange encrypted payload

 

HIGHLIGHTS FROM THE TRAFFIC

From www.cba[.]org[.]uk (compromised website) to toolbarueries-googles[.]ru (first redirect):
Embedded iframe from index page of compromised website.

 

From toolbarueries-googles[.]ru (first redirect) to toolbarueries-googless[.]ru (second redirect):
Note the first redirect is "googles", while the second redirect is is "googless".
The obfuscated Javascript shown below probably generated the traffic to toolbarueries-googless[.]ru.

 

From toolbarueries-googless[.]ru (second redirect) to dromessop[.]org (last redrect):

 

From dromessop[.]org (last redrect) to seek7er.epicgamer[.]org:9290 (Sweet Orange EK):

 

The first HTTP GET request to Sweet Orange EK returns some obfuscated script:

 

Take away the jeR--_ and 33S from the obfuscated section of the above script, and you'll find some Base64 encoded HTML:

 

The decoded Base64 script looks like a CVE-2013-2551 exploit:

 

Microsoft Security Essentials also thinks it's CVE-2013-2551:

 

The second HTTP GET request to Sweet Orange returns a Flash file, possibly an exploit for CVE-2014-0497 since it specifically identified my Flash version as 12.0.0.38.

 

Here are GET requests for the two different Java exploits:

 

Here are two GET requests for same encrypted malware payload delivered by the Java exploits:

 

I didn't see any callback traffic, but the malware copied itself to another directory and created the following registry entry:

 

Click here to return to the main page.