Seen in the wild: Updated Exploit Kits


In early March, after one of our network sensors flagged an incident at one of our customers, we noticed some traffic going to a rather suspicious .biz domain. When looking into the details of this domain, we found it to be registered to a guy named “Lukas Vask”.

Image

When doing a reverse whois on just the email address, we found that Mister Vask owns 88 domains, 3 ‘.com’, 1 ‘.net’, 70 other gTLD’s and 14 ccTLD’s.
When reviewing the same data some days later we found that he bought another 78 domains.

A small sample list of unique domains used:

hxxp://www.goothewebcomwert.biz
hxxp://www.tenofityrocla.biz
hxxp://www.turkglobvan.in
hxxp://www.myfirstsitemanme.com
hxxp://www.globin-fo-stat.info
hxxp://www.globinfodetails.info
hxxp://www.findservicenuclear.org
hxxp://www.pubbotstatistic.com
hxxp://www.botupdatestatistic.com
hxxp://www.currentlocalburn5.biz
hxxp://www.currentlocalburn.biz

Alongside the above unique domains seen, we noticed a simple type of domain obfuscation. Using a combination of 3 to 5 words from the english dictionary with both the .org and .biz TLD’s are registered. Afterwards a letter is added to the end of the domains, which are just ascending letters of the alphabet and again the .org and .biz are also registered.

A small example list of the used words:
longdrivetoair
hitoryyoutohorm
takeafreemyw

We’ve seen the following being used in the wild:

hxxp://www.hitoryyoutohorm.biz
hxxp://www.hitoryyoutohorm.org
hxxp://www.hitoryyoutohormb.biz
hxxp://www.hitoryyoutohormb.org
hxxp://www.hitoryyoutohormc.biz
hxxp://www.hitoryyoutohormc.org
hxxp://www.hitoryyoutohormf.biz
hxxp://www.hitoryyoutohormf.org
hxxp://www.hitoryyoutohormg.biz
hxxp://www.hitoryyoutohormg.org
hxxp://www.hitoryyoutohormh.biz
hxxp://www.hitoryyoutohormh.org
hxxp://www.hitoryyoutohormk.org
hxxp://www.hitoryyoutohorml.biz
hxxp://www.hitoryyoutohorml.org

hxxp://www.takeafreemyw.biz
hxxp://www.takeafreemyw.org
hxxp://www.takeafreemywb.biz
hxxp://www.takeafreemywb.org

These pages are serving the Nice Pack exploit kit at this time.

Nice Pack Exploit Kit

Previous listings of the Nice Pack exploit kit have used Javascript with the old fashioned try and catch methods which are easily detected by IDS systems. For the new landing page of Nice Pack the creators took some time in figuring out how to sail free from the IDS detection by using even more obfuscated Javascript with no clear usage of known functions. Using a combination of these randomly named variables and functions makes these landing pages harder to detect.

Sample landing page:
Image

Deobfuscated it looks like this:
Image

The NicePack uses a combination of Adobe PDF and Java exploits to drop its malware.
The Java exploit targets CVE-2012-1723. The Adobe PDF exploit could not be determined as it seems the exploit kit is missing files, a 404 is returned when the malicious PDF should be served.

One way of determining if you’re dealing with a NicePack exploit kit domain is by doing a HTTP request on port 443, in the response you get will included a little hint.
Image

Checksums malicious files NicePack:
3cf648103d7d9ed4185494979af10b2c https://www.virustotal.com/en/file/5e283a5ef0213d9c920e644fb74b2de96420926fda86f80b9cf192e7514e5555/analysis/1362477992/

Sweet Orange Exploit Kit

While taking a look at Mister Vask, we found another type of domain obfuscation used to spread the Sweet Orange exploit kit.
This DGA works similar to the alphabet one but in this case adds an asceding number at the end, we’ve seen the following being used:

hxxp://www.currentlocalburn5.biz
hxxp://www.currentlocalburn.biz

The new URL syntax of Sweet Orange looks like this as seen in the wild:

/mambots/feedback/dog/questions.php?alert=477&oracle=79&courses=813&christmas=961&photos=653&talks=538
/software/careers.php?sony=228&hardcore=79&groupsn=685&contrib=277&featured=750

Older versions of the Sweet Orange exploit kit used shorter links for the landing page.

The landing page in this version of Sweet Orange:
Image

The deobfuscated script part:

sweetorange_landingpage_deobfuscated

This part embeds the malicious PDF file located at ‘./tUaZFs’. The PDF targets CVE-2010-0188.The above attempts to exploit java vulnerbilities by loading malicious JAR files which target specific Java versions.The Java archives we’ve seen target CVE-2012-1723 and CVE-2013-0431 .

While most exploit kits check Java and Adobe versions to determine the most suitable way to drop their malware, this one attempts everything anyway and discards any version checking.
The bruteforce approach it seems.

Checksums malicious files SweetOrange:
6292f68f7deb3d7bb946096b9ecd8f45 https://www.virustotal.com/en/file/62a0a8ca7c9c92e06314cdd01c75048addf455972d8e6cea98b1050c7667f6ab/analysis/1362477648/
b4a044835a6a1464c556042db484b977 https://www.virustotal.com/en/file/499e42c9869f3e5a87478afe6a5c17978eeaefde9530cca6b73e315d2d740304/analysis/1362477660/
7a7ce94c19fcc47e20068e3f51971b52 https://www.virustotal.com/en/file/93e54881d92c38bb8876c7cd8af0da83051ec469f6dd5119a2a3f40696852501/analysis/1362477670/

Conclusion

Getting back to the WHOIS information, it seems the domains for both exploit kits are being registered with the same credentials. Either a fake account or stolen identity is being used by multiple people or the same guys are behind SweetOrange and NicePack.. who knows.

Yonathan Klijnsma & Barry Weymes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s