2014-09-18 - TWO DIFFERENT FIESTA EK INFECTIONS TRIGGERED BY THE SAME COMPROMISED WEBSITE

ASSOCIATED FILES:

• ZIP of the pcap:  2014-09-18-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-18-Fiesta-EK-malware.zip

NOTES:

• Today's compromised website triggered two different Fiesta EK infection chains.
• The first was regular Fiesta by a serveminecraft.net domain.
• The second was what I'm calling "new Fiesta" originally reported by Kimberly on 2014-08-29 at stopmalvertising.com ( link ).
• Exploits and malware appear to be the same for both sets of Fiesta EK traffic.
• I couldn't get the malware payload from the infected VM, but it was a Zemot downloader.
• The Zemot malware downloaded Rerdom.  My infected VM generated a large amount of click-fraud traffic (only the very start of it is included in the pcap).

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 174.143.248.12 - www.newreleasetuesday.com - comrpomised website
• 89.111.177.208 - www.courieru.com - redirect (gate) for new Fiesta
• 209.239.114.232 - aahndhcph.serveminecraft.net - regular Fiesta
• 104.28.14.101 - hxrgy.ianlar.in - new Fiesta
• various IP addresses - various domains - post-infection traffic (see below)

 

PAGE FROM COMPROMISED WEBSITE:

• 13:02:52 UTC - 192.168.204.163:49300 - 174.143.248.12:80 - www.newreleasetuesday.com - GET /lyricsdetail.php?lyrics_id=84509

 

REGULAR FIESTA INFECTION PATH:

• 13:02:54 UTC - 192.168.204.163:49315 - 174.143.248.12:80 - www.newreleasetuesday.com - GET /new-layout/wayout-menu/js/demo.js
• 13:03:06 UTC - 192.168.204.163:49383 - 174.143.248.12:80 - www.newreleasetuesday.com - GET /includes/home2/defaults.php

REGULAR FIESTA:

• 13:03:07 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/counter.php?fid=2
• 13:03:08 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/2
• 13:03:10 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/30b5c3cbbc6270f24047040e5108525a0201560e5751535906045354070b5254;118800;
• 13:03:10 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/6ac7b4b8b3c8455b5f040f0c500f53000750570c5656520303555256060c530e
• 13:03:12 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/1c4f9a5690bc20165d0a565d0b5a040e0052005d0d03050d045705075d590400;910
• 13:03:12 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/5ac856f662bbc6e4460d1503070d570e045057030154560d00555259510e5700;4060531
• 13:03:15 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/51a63117a0c26ba656410a0d010a000f0400550d0753010c000550575709000f;4
• 13:03:16 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/51a63117a0c26ba656410a0d010a000f0400550d0753010c000550575709000f;4;1
• 13:03:17 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/13a1afc0477a46a152430a0a535d52080002550a5504530b04075050055e5206;6
• 13:03:19 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/13a1afc0477a46a152430a0a535d52080002550a5504530b04075050055e5206;6;1
• 13:03:41 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/783c376b477a46a154485858010c075a0609075807550659020c0202570f0754;5
• 13:03:42 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/783c376b477a46a154485858010c075a0609075807550659020c0202570f0754;5;1
• 13:03:43 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/0cd1ac8fe4c4b6c75111050a5358095e0152500a5501085d05575550055b0950
• 13:03:50 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/27e348a18c717907514f00080603500903065108005a510a0703545250005007;1;2
• 13:03:57 UTC - aahndhcph.serveminecraft.net - GET /me5jgv9/27e348a18c717907514f00080603500903065108005a510a0703545250005007;1;2;1

 

NEW FIESTA INFECTION PATH:

• 13:02:59 UTC - 192.168.204.163:49340 - 174.143.248.12:80 - www.newreleasetuesday.com - GET /ads/www/delivery/ajs.php?zoneid=[long string]
• 13:03:09 UTC - 192.168.204.163:49394 - 89.111.177.208:80 - www.courieru.com - GET /cache/joomsef/

NEW FIESTA:

• 13:03:13 UTC - hxrgy.ianlar.in - GET /gr06phja/rtu.swf?7.119674176952573
• 13:03:15 UTC - hxrgy.ianlar.in - GET /gr06phja/rtu.php?7.119674176952573
• 13:03:15 UTC - hxrgy.ianlar.in - GET /pofrj4l/2
• 13:03:19 UTC - hxrgy.ianlar.in - GET /gr06phja/rtp.xap?7.119674176952573
• 13:03:35 UTC - hxrgy.ianlar.in - GET /pofrj4l/1c3aa42e193cef884214555a530f03540250035a5556025e04570200050c0300;118800;
• 13:03:35 UTC - hxrgy.ianlar.in - GET /pofrj4l/6193bb511696da215f54550850590400050209085600050a03050852065a0454
• 13:03:36 UTC - hxrgy.ianlar.in - GET /pofrj4l/2a7fdce935e2bf6c5e08555d565854080152075d5001550207550607005b545c;910
• 13:03:36 UTC - hxrgy.ianlar.in - GET /pofrj4l/1afdb8cbc7e5599e420d105f500352530252565f565a53590455570506005207;4060531
• 13:03:38 UTC - hxrgy.ianlar.in - GET /pofrj4l/744d837bbc142eb454445f5f0a0806530407045f0c510759020005055c0b0453;4
• 13:03:38 UTC - hxrgy.ianlar.in - GET /pofrj4l/744d837bbc142eb454445f5f0a0806530407045f0c510759020005055c0b0453;4;1
• 13:03:39 UTC - hxrgy.ianlar.in - GET /pofrj4l/31103c19e224d9db50415a0b015800080002010b0701010206050051575b005c;6
• 13:03:40 UTC - hxrgy.ianlar.in - GET /pofrj4l/31103c19e224d9db50415a0b015800080002010b0701010206050051575b005c;6;1
• 13:03:43 UTC - hxrgy.ianlar.in - GET /pofrj4l/2ccefbe3e224d9db5113085e545954020150535e5200550807575204025a5456;5
• 13:03:44 UTC - hxrgy.ianlar.in - GET /pofrj4l/2ccefbe3e224d9db5113085e545954020150535e5200550807575204025a5456;5;1
• 13:03:44 UTC - hxrgy.ianlar.in - GET /pofrj4l/77a14b6d419a29bd5645000a065907550404510a0000065f02035050505a0701
• 13:03:49 UTC - hxrgy.ianlar.in - GET /pofrj4l/17390657292fe67d524f5602020d0406020403020454050c04030258540e0452;1;2
• 13:03:50 UTC - hxrgy.ianlar.in - GET /pofrj4l/17390657292fe67d524f5602020d0406020403020454050c04030258540e0452;1;2;1

 

POST-INFECTION TRAFFIC:

• 13:03:20 UTC - 192.168.204.163:49405 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:21 UTC - 192.168.204.163:49406 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:22 UTC - 192.168.204.163:49407 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:23 UTC - 192.168.204.163:49408 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:23 UTC - 192.168.204.163:49409 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:42 UTC - 192.168.204.163:49424 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:43 UTC - 192.168.204.163:49426 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:45 UTC - 192.168.204.163:49430 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:47 UTC - 192.168.204.163:49432 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:48 UTC - 192.168.204.163:49433 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:48 UTC - 192.168.204.163:49434 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:49 UTC - 192.168.204.163:49435 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:49 UTC - 192.168.204.163:49437 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:50 UTC - 192.168.204.163:49438 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:50 UTC - 192.168.204.163:49440 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:50 UTC - 192.168.204.163:49441 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:52 UTC - 192.168.204.163:49442 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:54 UTC - 192.168.204.163:49443 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:55 UTC - 192.168.204.163:49444 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54605
• 13:03:55 UTC - 192.168.204.163:49445 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:03:57 UTC - 192.168.204.163:49446 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:58 UTC - 192.168.204.163:49448 - 109.86.83.167:80 - warzine.su - GET /b/shoe/54613
• 13:03:59 UTC - 192.168.204.163:49449 - 188.231.173.105:80 - wildkit.su - GET /mod_articles-auth-65.4/jquery/
• 13:05:55 UTC - 192.168.204.163:49159 - 95.133.14.212:80 - wildkit.su - GET /mod_jshoppi-14.9/soft32.dll
• 13:06:13 UTC - 192.168.204.163:49160 - 91.207.86.210:80 - kinure-desrt.su - GET /b/eve/70e1c3a41286d4ca0e408445
• 13:06:50 UTC - 192.168.204.163:49161 - 46.63.66.102:80 - kinure-desrt.su - POST /b/opt/055C88E975797D28171E6A46
• 13:06:51 UTC - 192.168.204.163:49162 - 46.63.66.102:80 - kinure-desrt.su - GET /b/letr/1B95240AE9F15AFF8B964D91
• 13:06:52 UTC - 192.168.204.163:49163 - 207.244.68.117:8080 - 207.244.68.117:8080 - POST /b/opt/59D1C6F4D1ABC871B3CCDF1F
• 13:06:54 UTC - 192.168.204.163:49164 - 207.244.68.117:8080 - 207.244.68.117:8080 - GET /b/letr/00C1EE843EBC22255CDB354B
• 13:06:54 UTC - 192.168.204.163:49165 - 162.248.167.184:443 - 162.248.167.184:443 - POST /b/opt/866178D426287D50444F6A3E
• 13:07:13 UTC - 192.168.204.163:49166 - 162.248.167.184:443 - 162.248.167.184:443 - POST /b/req/F89D6159AB792582C91E32EC
• 13:07:36 UTC - 192.168.204.163:49167 - 162.248.167.184:443 - 162.248.167.184:443 - POST /b/req/758C792D3C9D7A8B5EFA6DE5

CLICK FRAUD TRAFFIC BEGINS:

• 13:07:38 UTC - 192.168.204.163:49168 - 46.161.41.220:80 - syserty-war.com - GET /
• 13:07:38 UTC - 192.168.204.163:49170 - 46.161.41.220:80 - verysecongig.com - GET /
• 13:07:38 UTC - 192.168.204.163:49172 - 46.161.41.220:80 - num-lnkd.com - GET /
• 13:07:38 UTC - 192.168.204.163:49173 - 46.161.41.220:80 - handredder.com - GET /
• 13:07:38 UTC - 192.168.204.163:49171 - 46.161.41.220:80 - page-insert.com - GET /

 

PRELIMINARY MALWARE ANALYSIS

FIRST FLASH FILE (FROM THE "NEW FIESTA" TRAFFIC):

File name:  2014-09-18-Fiesta-EK-first-flash-file.swf
File size:  2.2 KB ( 2273 bytes )
MD5 hash:  17ed0f7fd3e648411e021eab6ef78cf9
Detection ratio:  1 / 55
First submission:  2014-09-18 14:48:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/72e498e7ed60a4384b2d613bff7ac9454505f4471fcccd4e8006ac71ed9e40d1/analysis/

 

FIRST SILVERLIGHT FILE (FROM THE "NEW FIESTA" TRAFFIC):

File name:  2014-09-18-Fiesta-EK-first-silverlight-file.xap
File size:  3.7 KB ( 3750 bytes )
MD5 hash:  c1d01850216cd0d9b02065f27de7f0a8
Detection ratio:  0 / 53
First submission:  2014-09-18 14:46:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f488f82eac46e71c73178253a9a97825a168a44a8255e8d87057d580c2fca745/analysis/

 

FLASH EXPLOIT:

File name:  2014-09-18-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10209 bytes )
MD5 hash:  36912f3f0398594a8ae1b2962c21e528
Detection ratio:  3 / 55
First submission:  2014-09-18 15:45:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1de4e29cb0f3fc115c70a4082919a2e47760d52ab0a10536dbf1b2c995feb3a6/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-18-Fiesta-EK-java-exploit.jar
File size:  5.1 KB ( 5220 bytes )
MD5 hash:  5d4a1572061b2c09b46f99e9ad7a62b2
Detection ratio:  3 / 55
First submission:  2014-09-18 14:47:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9f559797bc19451242603cd81ad3a29010ad890a43fadd79839e344bfcc7a54c/analysis/

 

PDF EXPLOIT:

File name:  2014-09-18-Fiesta-EK-pdf-exploit.pdf
File size:  7.3 KB ( 7451 bytes )
MD5 hash:  d1ba9ac63d9c80b725f939a5f99c4727
Detection ratio:  4 / 54
First submission:  2014-09-18 14:47:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a56f22010aee681d4aa77795b86955df761ea65637809178d356eaf3aa3a7738/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-18-Fiesta-EK-silverlight-exploit.xap
File size:  18.8 KB ( 19284 bytes )
MD5 hash:  8c9e47e6f7802b65428b31c8f28bc899
Detection ratio:  2 / 54
First submission:  2014-09-17 18:42:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/897e5a20b6b3dd925d1ea5b6fdc657bfa3dff3582050aee0dae7b295c3042d59/analysis/

 

RERDOM MALWARE FROM THE COMPROMISED VM:

File name:  UpdateFlashPlayer_92ad4ca3.exe
File size:  164.0 KB ( 167936 bytes )
MD5 hash:  5ac521e0e93c3bee7b99ada635e6a0de
Detection ratio:  8 / 54
First submission:  2014-09-18 14:48:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/14c735ebfc4a42f2172e1195111f2ccedf47cd2a2368322e3455b600179da886/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-18 13:03:11 UTC - 192.168.204.163:49397 - 209.239.114.232:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 2014-09-18 13:03:12 UTC - 209.239.114.232:80 - 192.168.204.163:49397 - ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved (sid:2014316)
• 2014-09-18 13:03:12 UTC - 209.239.114.232:80 - 192.168.204.163:49397 - ET WEB_CLIENT PDF With Embedded File (sid:2011507)
• 2014-09-18 13:03:12 UTC - 209.239.114.232:80 - 192.168.204.163:49397 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
• 2014-09-18 13:03:12 UTC - 209.239.114.232:80 - 192.168.204.163:49397 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (sid:2018408)
• 2014-09-18 13:03:12 UTC - 209.239.114.232:80 - 192.168.204.163:49397 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) (sid:2016001)
• 2014-09-18 13:03:12 UTC - 209.239.114.232:80 - 192.168.204.163:49398 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-09-18 13:03:20 UTC - 192.168.204.163:49405 - 109.86.83.167:80 - ETPRO TROJAN Win32/Zemot User-Agent (sid:2808499)
• 2014-09-18 13:03:20 UTC - 192.168.204.163:49405 - 109.86.83.167:80 - ET TROJAN Win32/Zemot Checkin (sid:2018643 and 2018644)
• 2014-09-18 13:03:36 UTC - 104.28.14.101:80 - 192.168.204.163:49411 - ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved (sid:2014316)
• 2014-09-18 13:03:36 UTC - 104.28.14.101:80 - 192.168.204.163:49411 - ET WEB_CLIENT PDF With Embedded File (sid:2011507)
• 2014-09-18 13:03:36 UTC - 104.28.14.101:80 - 192.168.204.163:49411 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
• 2014-09-18 13:03:36 UTC - 104.28.14.101:80 - 192.168.204.163:49411 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (sid:2018408)
• 2014-09-18 13:03:36 UTC - 104.28.14.101:80 - 192.168.204.163:49411 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) (sid:2016001)
• 2014-09-18 13:03:36 UTC - 104.28.14.101:80 - 192.168.204.163:49413 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 2014-09-18 13:03:42 UTC - 188.231.173.105:80 - 192.168.204.163:49408 - ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload (sid:2018914)
• 2014-09-18 13:03:42 UTC - 188.231.173.105:80 - 192.168.204.163:49408 - ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) (sid:2018572)
• 2014-09-18 13:03:42 UTC - 188.231.173.105:80 - 192.168.204.163:49408 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File (sid:2008438)
• 2014-09-18 13:03:43 UTC - 192.168.204.163:49422 - 209.239.114.232:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 2014-09-18 13:03:43 UTC - 192.168.204.163:49422 - 209.239.114.232:80 - ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain (sid:2016582)
• 2014-09-18 13:05:55 UTC - 192.168.204.163:49159 - 95.133.14.21280 - ET TROJAN Win32/Zemot Config Download (sid:2018661)
• 2014-09-18 13:06:13 UTC - 192.168.204.163:49160 - 91.207.86.21080 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon (sid:2018096)
• 2014-09-18 13:06:13 UTC - 91.207.86.21080 - 192.168.204.163:49160 - ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement (sid:2018097)
• 2014-09-18 13:06:50 UTC - 192.168.204.163:49161 - 46.63.66.102:80 - ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon (sid:2018098)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

• 2014-09-18 13:03:10.486885 192.168.204.163:various - 209.239.114.232:80 - [1:29443:7] EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (x26)
• 2014-09-18 13:03:10.761877 209.239.114.232:80 - 192.168.204.163:49395 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-09-18 13:03:12.284759 209.239.114.232:80 - 192.168.204.163:49397 - [1:23041:4] FILE-PDF EmbeddedFile contained within a PDF
• 2014-09-18 13:03:12.284759 209.239.114.232:80 - 192.168.204.163:49397 - [1:28238:1] EXPLOIT-KIT Multiple exploit kits malicious pdf download
• 2014-09-18 13:03:12.366244 209.239.114.232:80 - 192.168.204.163:49398 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (x2)
• 2014-09-18 13:03:18.482554 192.168.204.163:various - 192.168.204.2:53 - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query (x9)
• 2014-09-18 13:03:36.119822 104.28.14.101:80 - 192.168.204.163:49410 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-09-18 13:03:36.415562 104.28.14.101:80 - 192.168.204.163:49411 - [1:23041:4] FILE-PDF EmbeddedFile contained within a PDF
• 2014-09-18 13:03:36.415562 104.28.14.101:80 - 192.168.204.163:49411 - [1:28238:1] EXPLOIT-KIT Multiple exploit kits malicious pdf download
• 2014-09-18 13:03:36.493926 104.28.14.101:80 - 192.168.204.163:49413 - [1:28612:2] EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (x2)
• 2014-09-18 13:03:42.324261 188.231.173.105:80 - 192.168.204.163:49408 - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection
• 2014-09-18 13:03:42.324261 188.231.173.105:80 - 192.168.204.163:various - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x6)
• 2014-09-18 13:03:42.474953 188.231.173.105:80 - 192.168.204.163:various - [1:28809:3] MALWARE-CNC Win.Trojan.Dofoil outbound connection (x2)
• 2014-09-18 13:03:43.564340 209.239.114.232:80 - 192.168.204.163:49422 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
• 2014-09-18 13:03:44.972676 104.28.15.101:80 - 192.168.204.163:49425 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
• 2014-09-18 13:06:13.263078 192.168.204.163:49160 - 91.207.86.210:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection
• 2014-09-18 13:06:50.612183 192.168.204.163:various - 46.63.66.102:80 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection (x2)
• 2014-09-18 13:06:52.961823 192.168.204.163:various - 207.244.68.117:8080 - [1:29356:1] MALWARE-CNC Win.Trojan.Cidox variant outbound connection (x2)

 

PATH TO THE REGULAR FIESTA EK

In file demo.js from the compromised website, there is some hexadecimal obfuscated script at the end of the file.  That hexadecimal code translates to the next URL in the infection chain:

 

This HTTP GET request returns an iframe pointing to the landing page for regular Fiesta:

 

The first HTTP GET request for ad traffic from the comrpomised site.  This includes some script injected at the beginning.  The script points to the next URL in the infection chain:

 

HTML returned from this HTTP GET request starts the "new Fiesta" traffic from hxrgy.ianlar.in:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-09-18-Fiesta-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-09-18-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.