2015-01-08 - MALWARE HOSTED ON 82.244.160.22

ASSOCIATED FILES:

• Archive of associated pcap files:  2015-01-08-pcap-files-associated-with-malware-from-82.244.160.22.zip
• Archive of malware samples:  2015-01-08-associated-malware.zip

 

NOTES:

• In December 2014, Threatglass reported a series of compromised websites that generated an iframe to download malware from 82.244.160.22.
• Each of these websites returned javascript with a malicious iframe before the initial <html> tag.
• The malicious iframes all pointed to domains ending with .undo.it in the target URL.
• Each .undo.it domain was hosted on 82.244.160.22
• All URLs in the malicious iframes ended with:  /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• The malware never fully downloaded--in each example, the TCP session ended prematurely with a RST from the server.
• To get the malware, you can substitute the IP address for the domain name in the URL and use a web browser to download it.
• The site is still active.  Anyone can download malware using the above method (at least for now).
• 82.244.160.22 appears to be hosting two different types of malware: one is digitally signed, and the other is not.

 

COMPROMISED WEBSITES NOTED ON THREATGLASS:

• 2014-12-13 - http://threatglass.com/malicious_urls/inecnigeria-org
• 2014-12-14 - http://threatglass.com/malicious_urls/gourmetdelices-com
• 2014-12-15 - http://threatglass.com/malicious_urls/www-hillsborohollydays-org
• 2014-12-16 - http://threatglass.com/malicious_urls/inecnigeria-org-2014-12-16
• 2014-12-18 - http://threatglass.com/malicious_urls/inecnigeria-org-2014-12-18
• 2014-12-20 - http://threatglass.com/malicious_urls/inecnigeria-org-2014-12-20
• 2014-12-23 - http://threatglass.com/malicious_urls/inecnigeria-org-2014-12-23
• 2014-12-25 - http://threatglass.com/malicious_urls/inecnigeria-org-2014-12-25
• 2014-12-26 - http://threatglass.com/malicious_urls/martindupree-com
• 2014-12-27 - http://threatglass.com/malicious_urls/www-kettles-eno-com
• 2014-12-28 - http://threatglass.com/malicious_urls/transglobeblog-com
• 2014-12-29 - http://threatglass.com/malicious_urls/www-ehforums-com

 

EXAMPLES OF THE MALICIOUS IFRAME FROM THE COMPROMISED WEBSITE:

 

GET REQUESTS AND MALWARE

ASSOCIATED GET REQUESTS FOR .UNDO.IT DOMAINS:

• 2014-12-13 07:43:01 UTC - 82.244.160.22 - sportpilot.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-14 08:15:03 UTC - 82.244.160.22 - yourcfs.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-15 12:25:11 UTC - 82.244.160.22 - anarchistischesforumkoeln.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-16 20:03:57 UTC - 82.244.160.22 - thejamesquigleyfund.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-18 18:41:19 UTC - 82.244.160.22 - rentalworkbook.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-20 01:50:01 UTC - 82.244.160.22 - kassranz.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-23 09:40:12 UTC - 82.244.160.22 - blackdiamond-products.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-25 16:37:05 UTC - 82.244.160.22 - marketing-for-accountants.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-26 00:08:26 UTC - 82.244.160.22 - portablelife.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-27 20:22:51 UTC - 82.244.160.22 - norwichterrierclub.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-28 08:56:49 UTC - 82.244.160.22 - dillonstein.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php
• 2014-12-29 00:36:05 UTC - 82.244.160.22 - cinema4us.undo.it - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php

• After 2014-12-29, I used the IP instead of a domain name: 82.244.160.22 - GET /zp/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/main.php

 

ATTEMPTED MALWARE DOWNLOADS FROM THE THREATGLASS PCAPS:

• 2014-12-13 - Content-Length: 451729 - filename=PDF_Viewer.exe
• 2014-12-14 - Content-Length: 483966 - filename=PDF_Viewer.exe
• 2014-12-15 - Content-Length: 445066 - filename=PDF_Viewer.exe
• 2014-12-16 - Content-Length: 425809 - filename=install_flash_player.exe
• 2014-12-18 - Content-Length: 415096 - filename=install_flash_player.exe
• 2014-12-20 - Content-Length: 478985 - filename=install_flash_player.exe
• 2014-12-23 - Content-Length: 399594 - filename=install_flash_player.exe
• 2014-12-25 - Content-Length: 483623 - filename=PDF_Viewer.exe
• 2014-12-26 - Content-Length: 521906 - filename=PDF_Viewer.exe
• 2014-12-27 - Content-Length: 493469 - filename=PDFViewer.exe
• 2014-12-28 - Content-Length: 502360 - filename=PDFViewer.exe
• 2014-12-29 - Content-Length: 458952 - filename=PDFViewer.exe

• NOTE: I only have one sample from 2014-12-23 (downloaded separately), which was not digitally signed.  As stated before, malware from the Threatglass pcaps never fully downloaded, so I could not determine which ones were digitally signed.

 

COPIES OF THE MALWARE I DOWNLOADED:

• 2014-12-23 - Content-Length: 543361 - filename=install_flash_player.exe
• 2015-01-02 - Content-Length: 493742 - filename=Happy_New_Year.exe
• 2015-01-03 - Content-Length: 570466 - filename=Happy_New_Year.exe
• 2015-01-04 - Content-Length: 327704 - filename=Happy_New_Year.exe   [digitally signed]
• 2015-01-05 - Content-Length: 329240 - filename=Happy_New_Year.exe   [digitally signed]
• 2015-01-06 - Content-Length: 512519 - filename=Happy_New_Year.exe
• 2015-01-07 - Content-Length: 490008 - filename=Happy_New_Year.exe

 

COPIES OF THE ABOVE MALWARE SUBMITTED TO MALWR.COM:

• 2014-12-23-install_flash_player.exe - https://malwr.com/analysis/ZjIxZGE4YTZkYTM1NGNmOTkxZmZkNTA4OGFiMTMxMTM/
• 2015-01-02-Happy_New_Year.exe - https://malwr.com/analysis/ODEzYWY5YzdhNTdkNDgwYWJmNTNkNDVhOTE4NDg2MDM/
• 2015-01-03-Happy_New_Year.exe - https://malwr.com/analysis/NjI4MzY0NzE4MDZhNGUwODlkY2ZhZTRkNGRmMGJiNTk/
• 2015-01-04-Happy_New_Year.exe - https://malwr.com/analysis/MGQzYjU2MGFlZjI0NGExODgyMmFlZWI0OTM3ZDM4OGE/
• 2015-01-05-Happy_New_Year.exe - https://malwr.com/analysis/ZTQ5YjliYzc1NjljNDhmZGI2M2E2N2ZlNThlMmFmY2I/
• 2015-01-06-Happy_New_Year.exe - https://malwr.com/analysis/N2Q5OWFlMWFmNmYzNGE0ZmIzOGEwODE4ZTU4OGQ4YWI/
• 2015-01-07-Happy_New_Year.exe - https://malwr.com/analysis/N2U5ZDM0MDdjODcwNDQ2NGJkMDZiZDM1YjkxMjY3ZjQ/

 

POST-INFECTION PCAPS:

• Malware:  2014-12-23-install_flash_player.exe  -  pcap file name:  2014-12-23-post-infection.pcap
• Malware:  2015-01-02-Happy_New_Year.exe  -  pcap file name:  2015-01-02-post-infection.pcap
• Malware:  2015-01-03-Happy_New_Year.exe  -  pcap file name:  2015-01-03-post-infection.pcap
• Malware:  2015-01-04-Happy_New_Year.exe [digitally signed]  -  pcap file name:  2015-01-04-post-infection.pcap

 

POST-INFECTION TRAFFIC

POST-INFECTION TRAFFIC GENERATED BY NON-DIGITALLY-SIGNED MALWARE SAMPLE FROM 2015-01-03:

• 2015-01-03 01:58:21 UTC - 192.168.138.163:59893 - 195.20.141.15:19077 - UDP
• 2015-01-03 01:58:28 UTC - 192.168.138.163:49931 - 184.94.233.252:48754 - UDP
• 2015-01-03 01:58:28 UTC - 192.168.138.163:49195 - 174.60.231.240:48754 - TCP
• 2015-01-03 01:58:33 UTC - 192.168.138.163:49931 - 92.244.151.93:48754 - UDP
• 2015-01-03 01:58:38 UTC - 192.168.138.163:49931 - 76.209.74.124:48754 - UDP
• 2015-01-03 01:58:43 UTC - 192.168.138.163:49931 - 190.132.78.52:48754 - UDP
• 2015-01-03 01:58:46 UTC - 192.168.138.163:49196 - 66.66.248.195:48754 - TCP
• 2015-01-03 01:58:48 UTC - 192.168.138.163:49931 - 174.60.231.240:48754 - UDP
• 2015-01-03 01:58:52 UTC - 192.168.138.163:49931 - 115.240.231.80:48754 - UDP
• 2015-01-03 01:58:56 UTC - 192.168.138.163:49931 - 115.240.192.162:48754 - UDP
• 2015-01-03 01:59:00 UTC - 192.168.138.163:49931 - 61.15.249.42:48754 - UDP
• 2015-01-03 01:59:00 UTC - 192.168.138.163:49197 - 98.161.2.58:48754 - TCP
• 2015-01-03 01:59:04 UTC - 192.168.138.163:49931 - 108.47.237.97:48754 - UDP
• 2015-01-03 01:59:08 UTC - 192.168.138.163:49931 - 46.98.13.95:48754 - UDP
• 2015-01-03 01:59:12 UTC - 192.168.138.163:49931 - 24.18.193.217:48754 - UDP
• 2015-01-03 01:59:13 UTC - 192.168.138.163:49198 - 118.6.212.91:48754 - TCP
• 2015-01-03 01:59:16 UTC - 192.168.138.163:49931 - 74.199.63.123:48754 - UDP
• 2015-01-03 01:59:20 UTC - 192.168.138.163:49931 - 190.105.68.235:48754 - UDP
• And so on...

• Snort event: 192.168.138.163:59893 - 195.20.141.15:19077 - ETPRO TROJAN Win32/Steroope.B checkin (sid:2808532)

 

POST-INFECTION TRAFFIC GENERATED BY DIGITALLY-SIGNED MALWARE SAMPLE FROM 2015-01-04:

• 2015-01-04 02:12:58 UTC - 192.168.138.163:49195 - www.google.com - GET /
• 2015-01-04 02:12:59 UTC - 192.168.138.163:49196 - 50.100.66.46:80 - ywoqmcmwuqgysmcw.org - POST /
• 2015-01-04 02:13:46 UTC - 192.168.138.163:49197 - 50.100.66.46:80 - ywoqmcmwuqgysmcw.org - GET /02.cab
• 2015-01-04 02:13:47 UTC - 192.168.138.163:49198 - 50.100.66.46:80 - ywoqmcmwuqgysmcw.org - GET /02.cab

• NOTE 1: I've seen ywoqmcmwuqgysmcw.org resolve to several different IP addresses.
• NOTE 2: The 02.cab file never fulled downloaded, so I retrieved a sample separately.

• Snort event: 192.168.138.163:49196 - 50.100.66.46:80 - ETPRO TROJAN W32/Redyms.AF (sid:2807393)

 

FINAL NOTES

Once again, here are the associated malware files:

• Archive of associated pcap files:  2015-01-08-pcap-files-associated-with-malware-from-82.244.160.22.zip
• Archive of malware samples:  2015-01-08-associated-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.