Disclaimer: Once again I won't go in deep analysis of the EK in that post.
It's more a connecting the dots one.
Big thanks: Timo Hirvonen, @Malc0de , @EKWatcher, @node5 for all the help on this.
In September a post from Alter appeared on underground. He was searching for traffic to test an exploit kit he was building.
-----------------------
Всем привет.
Ищем человека с большим и стабильным потоком трафа со своего лома.
Трафик нужен для отладки и тонкой настройки работы связки.
Что конкретно требуется:
Скорость слива 1к хостов 3-5 минут.
Доступ в ТДС или любую другую панельку где я мог бы сам включать или выключать траф на тестовый поток связки в любое удобное для меня время.
ТДС должна поддерживать работу с API автозабора.
Со своей стороны:
Месяц на выделенном сервере бесплатно
Последующая аренда по льготным условиям
Приватное решение с ограниченным набором.
Будем рады серьезному человеку с репой.
Контакт PM.
-------------------------
Google Translated as :
-------------------------
Hello.
Looking for a man with a large and stable flow of cores from your scrap.
Traffic needed for debugging and fine-tuning of the bunch.
What exactly is required:
Speed plum 1k hosts 3-5 minutes.
Access TDS or any other socket where I could turn on or off myself to the test stream traf ligament at any convenient time for me.
RTD should support the work with the API avtozabora.
For its part:
Month for a dedicated server for free
Leaseback on preferential terms
Private decision with a limited set.
We will be glad serious man with a turnip.
Contact PM.
--------------------------
On the 26th of september I spotted something that was a really good candidate for an "Alter EK".
Alter EK candidate - 2014-09-26 |
- The chronology (we do not see new pattern really often)
- The payload was contacting back the EK
and other hints (traffic filtering upfront) were confirming a "Training Range".
Talking with Will Metcalf from Emerging Threats we decided to name that Exploit Kit : Job314 (cf Knock part).
Some new tricks there. The java calls were embedded in the Flash.
Same for the CVE-2013-2551 (IE) embedded inside flash.
We saw the evolution all the following weeks.
Job314 - Test Thread - 2014-10-20 |
A week ago Alter published a new advert :
----------------------
Приватная связка с высоким пробивом и стабильной чистотой.
Месяц аренды от $3000
Аренда только на выделенных сервера.
Домены и фронты в стоимость аренды не входят.
Информация по составу эксплоитов не предоставляется.
Возможен тест на день 100$ (50к хостов).
Гарант только с данного борда и за ваш счет.
Jabber: s@userjab.com
-----------------------
Google Translated as :
-----------------------
Privacy punching a bunch of high purity and stable.
Month lease at $ 3000
Rent only on dedicated servers.
Domains and fronts in the rental price are not included.
Information on the composition of exploits is not available.
Possible test day $ 100 (50k hosts).
Guarantee only with this Bordeaux and at your expense.
Jabber: s@userjab.com
-------------------------
The big surprise was in the Screenshot :
Alter EK screenshots - Neutrino ! |
So after disappearing around the 17th of March, Neutrino is back !
Rebuilt from Scratch it seems and what we called Job314 is this Neutrino "2".Today checking a distribution path usually redirecting to Flash EK (Necurs in /sv62a76d18537/ )
Distribution Path to Necurs via "script" redirector and Flash EK 2014-11-15 |
Neutrino Pushing Necurs 2014-11-20 (and drops callbacks) |
Let's take a look at this
Neutrino Pass:
Neutrino - 4 CVE in 1 Flash |
GET http://amtudatqfi.border2 .xyz:47130/establish/40006/disguise/67531/harmony/25804/duke/grunt/north/5261/cart/51566/peter/shove/solitary/labour/squat/glad/
200 OK (text/html)
Neutrino Landing - 2014-11-20 http://pastebin.com/ssgay7Zn Straight to the flash |
RC4 : lrnfsvobuudc |
We get :
Path fired for each exploit note the payload Key: uzxceruvsl |
GET http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js
200 OK (text/javascript)
GET http://amtudatqfi.border2 .xyz:47130/dark/9844/watch/5350/slip/64080/explanation/41483/mend/93598/collapse/39865/model/25005/
200 OK (text/html) Flash containing at least CVE-2014-6332, CVE-2013-2551, CVE-2014-0515, CVE-2014-0569 7a5f2d7efe55020e65dcdd77bcdf853e
The four Rc4ed Exploits embedded in the single flash Neutrino 2014-11-21 |
GET http://wyuye.border2 .xyz:38779/false/hood/broom/9264/lover/22172/permit/45653/madam/44441/downstairs/grand/military/measure/themself/65550/
200 OK (application/octet-stream) RC4 (Key : uzxceruvsl ) encoded Necurs f185111b2b0c61b26f2cdae1fee81031
Note : User-Agent: Mozilla |
Based on what we saw earlier we can say that it's CVE-2014-6332 who owned that VM.
GET http://wyuye.border2 .xyz:38779/sweet.pl?whistle=word&more=start&wick=pressure&gasp=warm&join=victim&proper=52499&camera=44137&overhead=19904
404 Not Found (text/html)< CVE-2014-0569 calls. 404ed maybe because of the 200 OK on previous call.
File: That flash is well thought and seems easy to reuse, I will hold on this.
Fiddler pushed to VT here.
2014-11-24 - SWF : 19a6ef1cf490aec30018d95a4f07f42a
Let's finish with one advice from Will Metcalf (Emerging Threats) :
If u are a snort/suri user using snort < 2.9.7 or suricata w/o lua to decompress and inspect flash now is the time. https://t.co/Sh8Kq1TA46
— William Metcalf (@node5) November 20, 2014