2014-06-08 - INFINITY EK FROM 46.226.194.6 - ELITECAD.GR

ASSOCIATED FILES:

• ZIP of PCAPs:  2014-06-08-Infinity-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-08-Infinity-EK-malware.zip

NOTES:

• This is the same compromised website as seen on 2014-06-04, but with a different redirect and a different domain for Infinity EK.
• The malware payload is the same as last time; however, the Flash and Silverlight exploits have been updated since then.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 213.5.176.14 - www.johnknightglass.co.uk - Compromised website
• 195.191.148.38 - dbk-dimitrov.com - Redirect
• 46.226.194.6 - elitecad.gr - Infinity EK
• 87.118.90.136 - 87.118.90.136 - Post-infection callback

COMPROMISED WEBSITE AND REDIRECTS:

• 18:14:58 UTC - www.johnknightglass.co.uk - GET /
• 18:15:00 UTC - dbk-dimitrov.com - GET /clik.php?id=9959892
• 18:15:00 UTC - dbk-dimitrov.com - GET /clik.php?id=9959868
• 18:15:01 UTC - dbk-dimitrov.com - GET /clik.php?id=9959869
• 18:15:05 UTC - dbk-dimitrov.com - GET /clik.php?id=9959897
• 18:15:31 UTC - dbk-dimitrov.com - GET /clik.php?id=9959893

INFINITY EK:

• 18:15:00 UTC - elitecad.gr - GET /uk/phpdownloader.html
• 18:15:00 UTC - elitecad.gr - GET /uk/phpdownloader.html
• 18:15:02 UTC - elitecad.gr - GET /uk/phpdownloader.html
• 18:15:03 UTC - elitecad.gr - GET /6324.swf
• 18:15:05 UTC - elitecad.gr - GET /6324.swf
• 18:15:05 UTC - elitecad.gr - GET /8908.xap
• 18:15:05 UTC - elitecad.gr - GET /8908.xap
• 18:15:07 UTC - elitecad.gr - GET /uk/phpdownloader.html
• 18:15:08 UTC - elitecad.gr - GET /57.mp3?rnd=01886
• 18:15:09 UTC - elitecad.gr - GET /57.mp3?rnd=28529
• 18:15:10 UTC - elitecad.gr - GET /57.mp3?rnd=08386
• 18:15:29 UTC - elitecad.gr - GET /57.mp3?rnd=43668
• 18:15:30 UTC - elitecad.gr - GET /57.mp3?rnd=31166
• 18:15:31 UTC - elitecad.gr - GET /3207721367.mp3?rnd=18629

POST-INFECTION CALLBACK TRAFFIC:

• 18:16:48 UTC - 87.118.90.136 - POST /news/index.php
• 18:16:49 UTC - 87.118.90.136 - POST /news/index.php
• 18:16:50 UTC - 87.118.90.136 - POST /news/index.php

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-08-Infinity-EK-flash-exploit.swf
File size:  4.4 KB ( 4475 bytes )
MD5 hash:  ec5f5f2b85f6f133ef25d09ef6908686
Detection ratio:  1 / 50
First submission:  2014-06-08 23:27:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2179aa43de0d3fcac429e1f528412043799f94942dc941a5ffa36233c8406531/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-08-Infinity-EK-silverlight-exploit.xap
File size:  6.1 KB ( 6242 bytes )
MD5 hash:  6728d803252532e11e2a2f62b069598b
Detection ratio:  6 / 51
First submission:  2014-06-08 23:28:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/430a044651af3ef0a4cb9443bfb5e2997d5de5aa8c59915294c94fdcf073b2bf/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-08-Infinity-EK-malware-payload.exe
File size:  115.0 KB ( 117760 bytes )
MD5 hash:  431d2ac68d63bbf30e3b5636ca1ae823
Detection ratio:  33 / 51
First submission:  2014-05-30 11:48:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41b1a1ec61b2c8aa683f0310e3075d7d29d97fbe883d6e953ff2260417d38fe7/analysis/
Malwr link:  https://malwr.com/analysis/ODAwYWRjOTRjNDY0NGM5ZWE5YmZlOWU0MTMwMDBkZDk/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

• 2014-06-08 18:15:00 UTC - 46.226.194.6:80 - 192.168.204.230:50767 - ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (sid:2018440)
• 2014-06-08 18:15:05 UTC - 192.168.204.230:50777 - 46.226.194.6:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
• 2014-06-08 18:15:08 UTC - 46.226.194.6:80 - 192.168.204.230:50780 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 2014-06-08 18:15:08 UTC - 192.168.204.230:50780 - 46.226.194.6:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (sid:2017998)
• 2014-06-08 18:15:14 UTC - 192.168.204.230:49534 - 95.211.195.245:53 - ET CURRENT_EVENTS DNS Query Domain .bit (sid:2017645)
• 2014-06-08 18:16:48 UTC - 192.168.204.230:50797 - 87.118.90.136:80 - ETPRO TROJAN Win32/Necurs Checkin 4 (sid:2808090)

Sourcefire VRT ruleset:

• 2014-06-08 18:15:08 UTC - 46.226.194.6:80 - 192.168.204.230:50780 - EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (sid:30934)
• 2014-06-08 18:15:08 UTC - 192.168.204.230:50780 - 46.226.194.6:80 - EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (sid:30319)

 

SCREENSHOTS FROM THE TRAFFIC

Embedded javascript in page from compromised website:

 

Redirect pointing to Infinity EK:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAPs:  2014-06-08-Infinity-EK-traffic.pcap.zip
• ZIP of the malware:  2014-06-08-Infinity-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.