2014-06-23 - FLASHPACK EK FROM 46.21.159.163

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-06-23-FlashPack-EK-all-pcaps.zip
• ZIP file of the IE 8 infection artifacts/malware:  2014-06-23-FlashPack-EK-uses-CVE-2013-2551-artifacts.zip
• ZIP file of the IE 10 and IE 11 artifacts/malware:  2014-06-23-FlashPack-EK-for-IE-10-and-IE-11-artifacts.zip

NOTES:

• With the change in URL patterns for FlashPack EK (CritX EK) last week, I wanted to look into this a little more.
• There's still an extremely low detection rate for the Flash exploits--as I write this, Virus Total shows a zero detection rate, and one of them was first submitted 5 days ago.

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND REDIRECT:

• 18:59:07 UTC - 172.16.253.139:49169 - 173.203.236.17:80 - www.thomaseye.com - GET /
• 18:59:11 UTC - 172.16.253.139:49177 - 77.66.47.228:80 - jscriptlink.com - GET /lnk

SUCCESSFUL INFECTION - IE 8 ONLY - CVE-2013-2551 EXPLOIT - FIRST RUN:

• 18:59:14 UTC - 172.16.253.139:49183 - 46.21.159.163:80 - dioselaks.lighthousecorppr.com - GET /repportage/jtraysp/lscrambledc.php
• 18:59:14 UTC - 172.16.253.139:49186 - 46.21.159.163:80 - dioselaks.lighthousecorppr.com - GET /repportage/jtraysp/yplayedu.js
• 18:59:15 UTC - 172.16.253.139:49183 - 46.21.159.163:80 - dioselaks.lighthousecorppr.com - GET /repportage/jtraysp/tpyrrusyeti.php
• 18:59:15 UTC - 172.16.253.139:49186 - 46.21.159.163:80 - dioselaks.lighthousecorppr.com - GET /repportage/jtraysp/pstraitsb/6c4e9f.js
• 18:59:19 UTC - 172.16.253.139:49183 - 46.21.159.163:80 - dioselaks.lighthousecorppr.com - GET /repportage/jtraysp/sstrengthhesy.php   [!]

SUCCESSFUL INFECTION - IE 8 ONLY - CVE-2013-2551 EXPLOIT - SECOND RUN:

• 22:19:34 UTC - 172.16.253.139:49182 - 46.21.159.163:80 - gujakol.materialett.com.ar - GET /repportage/jtraysp/sgleefule.php
• 22:19:35 UTC - 172.16.253.139:49185 - 46.21.159.163:80 - gujakol.materialett.com.ar - GET /repportage/jtraysp/yplayedu.js
• 22:19:37 UTC - 172.16.253.139:49182 - 46.21.159.163:80 - gujakol.materialett.com.ar - GET /repportage/jtraysp/ddoubtk.php
• 22:19:37 UTC - 172.16.253.139:49185 - 46.21.159.163:80 - gujakol.materialett.com.ar - GET /repportage/jtraysp/pstraitsb/e9b97.js
• 22:19:43 UTC - 172.16.253.139:49182 - 46.21.159.163:80 - gujakol.materialett.com.ar - GET /repportage/jtraysp/sstrengthhesy.php   [!]

NO INFECTION - IE 10 WITH UP-TO-DATE JAVA (7 UPDATE 60) AND UP-TO-DATE FLASH (14.0.0.125):

• 20:38:18 UTC - 172.16.253.140:49201 - 46.21.159.163:80 - dioselaks.antenatv.info - GET /repportage/jtraysp/ibeneatht.php
• 20:38:18 UTC - 172.16.253.140:49202 - 46.21.159.163:80 - dioselaks.antenatv.info - GET /repportage/jtraysp/yplayedu.js
• 20:38:19 UTC - 172.16.253.140:49202 - 46.21.159.163:80 - dioselaks.antenatv.info - GET /repportage/jtraysp/denoughandn.php
• 20:38:21 UTC - 172.16.253.140:49202 - 46.21.159.163:80 - dioselaks.antenatv.info - GET /repportage/jtraysp/pstraitsb/5b91e.swf

SUCCESSFUL INFECTION - IE 11 WITH OUT-OF-DATE JAVA (7 UPDATE 21) AND OUT-OF-DATE FLASH (12.0.0.38):

• 21:49:06 UTC - 172.16.253.137:49212 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/uitselfi.php
• 21:49:06 UTC - 172.16.253.137:49211 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/yplayedu.js
• 21:49:10 UTC - 172.16.253.137:49211 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/mmedicinea.php
• 21:49:10 UTC - 172.16.253.137:49212 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/cwone.php
• 21:49:10 UTC - 172.16.253.137:49219 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/bcrankedk.php
• 21:49:11 UTC - 172.16.253.137:49212 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/pstraitsb/4f4c86.swf
• 21:49:20 UTC - 172.16.253.137:49212 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/tbarelyj.php?id=4   [!]
• 21:49:22 UTC - 172.16.253.137:49234 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/pstraitsb/c8e7bf6.jar
• 21:49:22 UTC - 172.16.253.137:49235 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/pstraitsb/c8e7bf6.jar
• 21:49:23 UTC - 172.16.253.137:49234 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/qsleevem.php?id=4   [!]
• 21:49:23 UTC - 172.16.253.137:49234 - 46.21.159.163:80 - dioselaks.carltiedemann.com - GET /repportage/jtraysp/qsleevem.php?id=4/2

NOTE:  Lines marked [!] are where the malware payload was delivered.

EXAMPLE OF POST-INFECTION TRAFFIC:

• 18:59:20 UTC - 172.16.253.139:49191 - 185.14.28.72:80 - GET /pieces/get.php?v=d7e3cbaaf66c4d240a109a130319dda4030188ed3648ea28e9cc11eb
• 18:59:23 UTC - 172.16.253.139:49200 - 185.14.28.72:80 - GET /pieces/get.php?v=02cbbe65b068fbafc40d489e491c8b514904da62d493159da3e9471e
• 18:59:24 UTC - 172.16.253.139:49201 - 185.14.28.72:80 - GET /pieces/get.php?v=ac82a60b1e22e55a31c73249db5365f8db4af0b58509897f31a6a9b5
• 18:59:24 UTC - 172.16.253.139:49201 - 185.14.28.72:80 - GET /pieces/get.php?v=48f901e93bb9dcc14f5e29b0c5cc6c45bdb3f952baa1a3152f39a00c
• 18:59:25 UTC - 172.16.253.139:49201 - 185.14.28.72:80 - GET /pieces/get.php?v=1c1a0fcb03fd553617a1a225fd88d5dff57080def5d7bd88177d1999

 

PRELIMINARY MALWARE ANALYSIS

FLASH FILES NOTED:

• 4f4c86.swf   - 9.8 KB ( 10081 bytes )   -   MD5: a0411bf211e0a231deff1ffad7359f45   -   Virus total link
• 4f4c86.uncompressed.swf   -   10.9 KB ( 11125 bytes )   -  MD5: 49aee9145e0033ed6b779bf3a8a5cf12   -  Virus total link

• 5b91e.swf   -   9.0 KB ( 9195 bytes )   -   MD5: bd150a73b085a4d03a34f82ec53b3a88   -   Virus total link
• 5b91e-uncompressed.swf   -   10.1 KB ( 10295 bytes )   -   MD5: fc9e97d31c2e3f6efb041e0ffb3e137b   -   Virus total link

 

JAVA EXPLOIT (SAME AS LAST WEEK):

File name:  2014-06-23-FlashPack-EK-java-exploit.jar
File size:  9.7 KB ( 9975 bytes )
MD5 hash:  565455c6f073356edcafa56763550e3a
Detection ratio:  6 / 54
First submission:  2014-06-16 17:49:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f3ffe3750c49e5600af1adfb9c64b17195b330be26ff868f04e3a0aa3448a553/analysis/

 

MALWARE PAYLOAD:

File name:  2014-06-23-FlashPack-EK-malware-payload.exe
File size:  97.0 KB ( 99328 bytes )
MD5 hash:  bceb0c2fc290e456f2e63282bc7d2271
Detection ratio:  3 / 54
First submission:  2014-06-23 19:31:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4091d335b5ad0340357173a28ee7006a430a406e6be8aafd65d739cf6d52a588/analysis/
Malwr link:  https://malwr.com/analysis/MDdjMTM2ZTIwOGNmNDUzNGE5ZWQzMmQzNTg4MDg0N2Q/

 

SNORT EVENTS - IE 8 INFECTION

• 2014-06-23 18:59:14 UTC - 46.21.159.163:80 - 172.16.253.139:49183 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2 (sid:2018577)
• 2014-06-23 18:59:19 UTC - 46.21.159.163:80 - 172.16.253.139:49183 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 2014-06-23 18:59:19 UTC - 46.21.159.163:80 - 172.16.253.139:49183 - EXPLOIT-KIT CritX exploit kit Portable Executable download (sid:24791)
• 2014-06-23 18:59:19 UTC - 46.21.159.163:80 - 172.16.253.139:49183 - EXPLOIT-KIT CritX exploit kit payload download attempt (sid:29167)
• 2014-06-23 18:59:19 UTC - 46.21.159.163:80 - 172.16.253.139:49183 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)

NOTE: These Snort events were taken from Sguil on Security Onion

 

SNORT EVENTS - IE 11 INFECTION

• 46.21.159.163:80 - 172.16.253.137:49212 - ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2 (sid:2018577)
• 192.168.204.167:44327 - 192.168.204.2:53 - BAD-TRAFFIC dns request with long host name segment - possible data exfiltration attempt (sid:30881)
• 172.16.253.137:49212 - 46.21.159.163:80 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack Possible Paylod URI Struct June 18, 2014 (sid:2808209)
• 46.21.159.163:80 - 172.16.253.137:49212 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (sid:2017297)
• 46.21.159.163:80 - 172.16.253.137:49212 - EXPLOIT-KIT CritX exploit kit Portable Executable download (sid:24791)
• 46.21.159.163:80 - 172.16.253.137:49212 - EXPLOIT-KIT CritX exploit kit payload download attempt (sid:29167)
• 46.21.159.163:80 - 172.16.253.137:49212 - EXPLOIT-KIT Multiple exploit kit payload download (sid:28593)
• 46.21.159.163:80 - 172.16.253.137:49234 - EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (sid:25042)

 

SCREENSHOTS OF THE TRAFFIC

Embedded javascript in page from compromised website:

 

Redirect pointing to FlashPack EK:

 

FlashPack EK delivers payload on VM running only IE 8 (after sending CVE-2013-2551 exploit):

 

FlashPack EK delivers payload on VM running IE 11 after Flash exploit:

 

FlashPack EK delivers same payload again on the same VM running IE 11 after Java exploit:

 

Here's the Flash exploit sent for the failed infection attempt on the IE 10 VM with up-to-date Flash and Java:

 

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-06-23-FlashPack-EK-all-pcaps.zip
• ZIP file of the IE 8 infection artifacts/malware:  2014-06-23-FlashPack-EK-uses-CVE-2013-2551-artifacts.zip
• ZIP file of the IE 10 and IE 11 artifacts/malware:  2014-06-23-FlashPack-EK-for-IE-10-and-IE-11-artifacts.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.