In this post we'll see some of the improvements that have been brought to Niteris.
Disclaimer : Few configuration were tested, so most probably some added/replaced CVEs are missing.
The infection chain (should be clean now) :
Infection chain leading to Niteris 2015-05-07 (probably 5 months old) |
is the same as the one that has been used on eHow
You'll notice that the actors registered 20min .eu for the first redirect of traffic from 20min .ch,
v5-static.ehowcdn .biz to mimic v5-static.ehowcdn .com, etc...
VT Pdns from first redirector in the infection chained |
Compromised eHow redirection chain to Nuclear Pack pushing Dyre - 2015-05-05 |
and on LiveStrong recently :
Compromised LiveStrong redirecting to same infection chain/payload as eHow - 2015-05-06 |
which are probably compromised since at least end of 2013 and where CVE-2013-5330 was first encountered...
Obviously Niteris has evolved on the Exploit integration side.
CVE-2014-0569 :
Niteris firing code to exploit CVE-2014-0569 |
CVE-2014-6332 :
Niteris firing code to exploit CVE-2014-6332 |
Sent code : http://pastebin.com/raw.php?i=2hU1kDi6
Code after js deobfuscation : http://pastebin.com/B5ihgFgv
Code after vbs deobfuscation : http://pastebin.com/wrBeGxzM
CVE-2015-0311 :
Niteris successfully exploiting CVE-2015-0311 to push Ursnif 2015-05-07 |
Flash Sample : d438be33030b2ed20a3db52031e110034119111cb116ab58bd393da49d6d0efe
CVE-2015-0336 :
Incomplete pass of Niteris Firing CVE-2015-0336 2015-05-04 |
but here are some less expected stuff :
CVE-2013-1710 & CVE-2012-3993 (Firefox Exploit - seems to be an implementation of this metasploit module)
Niteris sending code to exploit CVE-2013-1710 & CVE-2012-3993 2015-05-07 |
Niteris call for post exploitation checks Note fake user agent. 2015-05-07 |
Sent code : http://pastebin.com/mCu7AzGh
Code after js deobfuscation : http://pastebin.com/UV51KECp
Code after vbs deobfuscation : http://pastebin.com/VE4L48cz
Niteris Checks based on WMI query and read of Fiddler default error on non resolving domains 2015-05-07 |
If Niteris spot that you are running Fiddler or inside a VM, you'll be dropped before gathering the payload.
Here you can see a Virtualbox using Fiddler as proxy sending data to the EK
Niteris after close() function post Data showing that it has spotted both VirtualBox and Fiddler (outside of the VM) 2015-05-07 |
Looking at the customrules.js you'll read that this function "OnReturningError(oSession: Session)" executes just before Fiddler returns an error.
This is where the Niteris check can be defeated by modifying the response.
In the deofuscated code,we can see the decoding routine :
Payload decoding routine Xor (key [g_xk] : 97dc6e7aaa9c089d0ed82ebfd9fca4fe) skipping 0 and matching bytes |
Niteris routine to ensure payload is running as expected 2015-05-07 |
(contains Model and Security products. They should be able to figure out when an Antivirus Vendor is catching them, the same way Antivirus Vendor are able to figure out when they miss an EK : no more hits in the telemetry :D)
Files: Niteris_2015-05-12.zip.
Thanks to @UnicornSec for the working Referer
Special thanks to @DarienHuss for the impulse and help!
Thanks to @TimoHirvonen (F-Secure) for flash CVE identification.
Read More :
Meet Niteris EK (formerly known as CottonCastle) - 2014-06-09