2014-09-28 - NULL HOLE EK FROM 162.244.33.39 - POOLIE.VVK49.COM

ASSOCIATED FILES:

• ZIP of PCAP from the infection traffic:  2014-09-28-Null-Hole-EK-traffic.pcap.zip
• ZIP of PCAP from two failed attempts:  2014-09-28-Null-Hole-EK-failed-attempts.pcap.zip
• ZIP of the malware:  2014-09-28-Null-Hole-EK-malware.zip

 

NOTES (updated 2014-11-29):

• Today's EK traffic patterns were similar to a Styx infection I documented about 6 months ago on 2014-03-15, which is why I originally identified this as Styx EK.
• Kafeine researched this type of traffic, and he found it's Null Hole EK:  http://malware.dontneedcoffee.com/2014/11/call-me-null-hole-maybe.html
• The infected VM was running IE 8 and an outdated version of Flash.
• I tried it again on IE 10 without Flash while using out-of-date Java (6u25 and 7u13), but I could not infect the VM going that route.

• The compromised server that kicked off this infection chain is a WordPress site named bridepopmississippi.com.
• A search on Clean MX showed 11 URLs from bridepopmississippi.com were reported since 2014-08-18.  These were resolved; however, today a visit to bridepopmississippi.com kicked off an infection on my vulnerable VM.

URLs from bridepopmississippi.com reported to Clean MX

 

URL from bridepopmississippi.com reported to Scumware.org

 

Warning about bridepopmississippi.com from a Bing search

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 50.63.220.1 - bridepopmississippi.com - Compromised website
• 188.120.251.39 - rabiorik.ru - Redirect
• 162.244.33.39 - poolie.vvk49.com and cobalt.pss33.com - Null Hole EK
• various IP addresses - Post infection traffic using ephemeral ports on both TCP qand UDP

 

COMPROMISED WEBSITE AND REDIRECT:

• 01:30:59 UTC - 172.16.165.133:49213 - 50.63.220.1:80 - bridepopmississippi.com - GET /
• 01:31:09 UTC - 172.16.165.133:49245 - 188.120.251.39:80 - rabiorik.ru - GET /wlkzkir.cgi?default

 

NULL HOLE EK:

• 01:31:10 UTC - 172.16.165.133:49246 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ
• 01:31:11 UTC - 172.16.165.133:49247 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ/e.html
• 01:31:13 UTC - 172.16.165.133:49248 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ/gzgBQVI.html
• 01:31:13 UTC - 172.16.165.133:49249 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ/ERAnnQG.html
• 01:31:13 UTC - 172.16.165.133:49250 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ/qtNDDUG.html
• 01:31:14 UTC - 172.16.165.133:49251 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ/djIhQ.swf
• 01:31:17 UTC - 172.16.165.133:49252 - 162.244.33.39:80 - poolie.vvk49.com - GET /TbCAgWPudohEQ/loader2.exe&h=33

• NOTE: The redirect and EK traffic are repeated, but no exploit or payload are re-sent.

 

POST-INFECTION TRAFFIC (ENCRYPTED OR OTHERWISE OBFUSCATED):

• 1.175.221.30 port 59858 - UDP
• 89.165.191.55 port 40624 - UDP
• 89.165.191.55 port 39192 - TCP
• 111.242.29.3 port 47175 - TCP
• 178.63.51.9 port 24268 - UDP
• 178.63.51.9 port 52346 - TCP
• 182.65.41.203 port 30545 - UDP
• 182.65.41.203 port 22261 - TCP
• 190.39.82.189 port 54999 - UDP
• 190.39.82.189 port 53557 - TCP
• 201.167.17.104 port 23355 - UDP
• 201.167.17.104 port 21504 - TCP
• 203.185.17.170 port 30546 - UDP
• 203.185.17.170 port 51878 - TCP
• 220.136.84.102 port 42955 - UDP
• 220.136.84.102 port 53643 - TCP

 

ADDITIONAL FAILED ATTEMPTS TO INFECT A VM USING JAVA ONLY:

• 16:17:19 UTC - 192.168.204.142:49210 - 188.120.251.39:80 - rabiorik.ru - GET /xtbqkub.cgi?default
• 16:17:20 UTC - 192.168.204.142:49211 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ
• 16:17:21 UTC - 192.168.204.142:49212 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/e.html
• 16:17:26 UTC - 192.168.204.142:49213 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/gzgBQVI.html
• 16:17:26 UTC - 192.168.204.142:49214 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/ERAnnQG.html
• 16:17:26 UTC - 192.168.204.142:49215 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/qtNDDUG.html

• 16:27:13 UTC - 192.168.204.142:49387 - 188.120.251.39:80 - rabiorik.ru - GET /ctortzy.cgi?default
• 16:27:14 UTC - 192.168.204.142:49390 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ
• 16:27:15 UTC - 192.168.204.142:49391 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/e.html
• 16:27:17 UTC - 192.168.204.142:49393 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/gzgBQVI.html
• 16:27:17 UTC - 192.168.204.142:49394 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/ERAnnQG.html
• 16:27:17 UTC - 192.168.204.142:49395 - 162.244.33.39:80 - cobalt.pss33.com - GET /TbCAgWPudohEQ/qtNDDUG.html

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-28-Null-Hole-EK-flash-exploit.swf
File size:  5.1 KB ( 5250 bytes )
MD5 hash:  07ca35c6a0c5b30929ad60b34ab1e8fa
Detection ratio:  1 / 55
First submission:  2014-09-28 15:00:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c641c2728a5b1e369f7f47bb776c6d20b27d613c8da9584250f78699a8a8609b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-28-Null-Hole-EK-malware-payload.exe
File size:  170.6 KB ( 174652 bytes )
MD5 hash:  5469af0daa10f8acbe552cd2f1f6a6bb
Detection ratio:  10 / 55
First submission:  2014-09-27 09:25:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9bc99299191caf52ebe70a6c7052574c35c40d28f93aa8c163073e81aad9e148/analysis/

 

DROPPED MALWARE 1 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  locolknx.exe
File size:  502.0 KB ( 513999 bytes )
MD5 hash:  e685038ae761603712282500b70f80ce
Detection ratio:  11 / 54
First submission:  2014-09-28 15:01:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1aee63c95c990a2d9e425967c33ecd9f4e80e2da3b1f2b0b3f2de0d9f56ddebe/analysis/

 

DROPPED MALWARE 2 OF 2 (FROM THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  ncsfklmi.exe
File size:  628.0 KB ( 643072 bytes )
MD5 hash:  b06f9b65d08e81196fb4b4e471a197d8
Detection ratio:  17 / 54
First submission:  2014-09-28 15:02:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/868fd9273bf899981326024e07ad32f5f7a96d39059b50346250add5d80bc69d/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 01:31:17 UTC - 172.16.165.133:49252 - 162.244.33.39:80 - ET CURRENT_EVENTS Styx Exploit Kit Payload Download (sid:2016499)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 01:31:04 UTC - 50.63.220.1 - 172.16.165.133 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 01:31:12 UTC - 162.244.33.39:80 - 172.16.165.133:various - [120:3:1] (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE (x15)
• 01:31:17 UTC - 162.244.33.39:80 - 172.16.165.133:49252 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

HIGHLIGHTS FROM THE TRAFFIC

Embedded iframe after closing HTML tag in page from compromised website:

 

Redirect:

 

First HTTP reqeust to Null Hole EK:

 

Landing page for the EK:

 

EK send the EXE payload:

 

Example of the post-infection TCP traffic:

 

Example of the post-infection UDP traffic:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP from the infection traffic:  2014-09-28-Null-Hole-EK-traffic.pcap.zip
• ZIP of PCAP from two failed attempts:  2014-09-28-Null-Hole-EK-failed-attempts.pcap.zip
• ZIP of the malware:  2014-09-28-Null-Hole-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.