In early March, after one of our network sensors flagged an incident at one of our customers, we noticed some traffic going to a rather suspicious .biz domain. When looking into the details of this domain, we found it to be registered to a guy named “Lukas Vask”.
When doing a reverse whois on just the email address, we found that Mister Vask owns 88 domains, 3 ‘.com’, 1 ‘.net’, 70 other gTLD’s and 14 ccTLD’s.
When reviewing the same data some days later we found that he bought another 78 domains.
A small sample list of unique domains used:
Alongside the above unique domains seen, we noticed a simple type of domain obfuscation. Using a combination of 3 to 5 words from the english dictionary with both the .org and .biz TLD’s are registered. Afterwards a letter is added to the end of the domains, which are just ascending letters of the alphabet and again the .org and .biz are also registered.
A small example list of the used words:
We’ve seen the following being used in the wild:
These pages are serving the Nice Pack exploit kit at this time.
Nice Pack Exploit Kit
Deobfuscated it looks like this:
The NicePack uses a combination of Adobe PDF and Java exploits to drop its malware.
The Java exploit targets CVE-2012-1723. The Adobe PDF exploit could not be determined as it seems the exploit kit is missing files, a 404 is returned when the malicious PDF should be served.
One way of determining if you’re dealing with a NicePack exploit kit domain is by doing a HTTP request on port 443, in the response you get will included a little hint.
Checksums malicious files NicePack:
Sweet Orange Exploit Kit
While taking a look at Mister Vask, we found another type of domain obfuscation used to spread the Sweet Orange exploit kit.
This DGA works similar to the alphabet one but in this case adds an asceding number at the end, we’ve seen the following being used:
The new URL syntax of Sweet Orange looks like this as seen in the wild:
Older versions of the Sweet Orange exploit kit used shorter links for the landing page.
The landing page in this version of Sweet Orange:
The deobfuscated script part:
This part embeds the malicious PDF file located at ‘./tUaZFs’. The PDF targets CVE-2010-0188.The above attempts to exploit java vulnerbilities by loading malicious JAR files which target specific Java versions.The Java archives we’ve seen target CVE-2012-1723 and CVE-2013-0431 .
While most exploit kits check Java and Adobe versions to determine the most suitable way to drop their malware, this one attempts everything anyway and discards any version checking.
The bruteforce approach it seems.
Checksums malicious files SweetOrange:
Getting back to the WHOIS information, it seems the domains for both exploit kits are being registered with the same credentials. Either a fake account or stolen identity is being used by multiple people or the same guys are behind SweetOrange and NicePack.. who knows.
Yonathan Klijnsma & Barry Weymes