CBeplay US Design 2013-08 |
On 2013-07-30 I heard from Chris Wakelin about Youtube malvertising via zxroll.doniz .nl/stats/ - 188.120.236.219
29182 | 188.120.224.0/20 | ISPSYSTEM | RU | BANGUP-MOSCOW.RU | ISPSYSTEM CJSC
to a Sweet Orange on 217.23.138.42
15756 | 217.23.128.0/19 | CARAVAN | RU | CARAVAN.RU | CJSC CARAVAN-TELECOM
<edit1 2013-08-02> Got contact by mail telling me those redirect are as old as 2013-07-22 and then found a tweet from @MalwareSigs about that on 2013-07-26</edit1>
I took a look at the payload : CBeplay.P.
( what's new : US design : DHS Themed, Google Translate voices, newly targeted countries with old Urausy Design - See at the end)
Here is the US design featuring the Google Translate voice (seems a Y was missing ;) ) :
http://youtu.be/gnpMkftUlyk
C&C ?
5.104.106.79 - 46.165.201.27 (cf Joe Sandbox Cloud analysis at the end)
The US-Cert released a notification on 2013-07-30
"US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild."
Would be a big surprise if those dots are not connected.
The day after Chris Wakelin was seeing the same kind of Malvertising with same intermediate redirector xxx.nookid .nl/stats traffing for a new Cool EK on 142.0.4.29 with Subfolder /water/
Couldn't replay from Youtube. Here Cool EK /water/ dropping CBeplay.P with a Styxy Jar from intermediate Redirector |
Same day on Twitter Shay Harding notified about the increase of Cool EK...
@kellewic tweet about /water/ Cool EK |
Guess which one : /water/ !
Asking him if he could find the referrer he told me it was a Youtube link.
All payload are in fact CBeplay.P
<edit2 2013-08-04>
I've been given a pcap of the infection (thanks : @ph1lv !!). The publisher ID of the malvertising is :
ca-pub-6219811747049371
One swf is still available there (pastebin with the link), and in this zip (owncloud via goo.gl) :
Malvertising Displayed on Youtube that could drive you to the CBeplay.P Sweet Orange or later Cool EK |
decryption function |
encoded function to insert the iframe (no user interaction needed to load bad redirection) |
998a919c8b969091d7d684899e8ddfbadfc2df9b909c8a929a918bd19c8d9a9e8b9aba939a929a918bd7d896998d9e929ad8d6c49b909c8a929a918bd19d909b86d19e8f8f9a919bbc9796939bd7bad6c4899e8ddfbeabaddfc2dfbad19e8b8b8d969d8a8b9a8cc4899e8ddfbea8dfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d888969b8b97d8d6c4bea8d191909b9aa99e938a9adfc2dfd8cfd8c4beabadd18c9a8bb19e929a9bb68b9a92d7bea8d6c4899e8ddfbeb7dfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d8979a9698978bd8d6c4beb7d191909b9aa99e938a9adfc2dfd8cfd8c4beabadd18c9a8bb19e929a9bb68b9a92d7beb7d6c4899e8ddfbebddfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d8998d9e929a9d908d9b9a8dd8d6c4bebdd191909b9aa99e938a9adfc2dfd8cfd8c4beabadd18c9a8bb19e929a9bb68b9a92d7bebdd6c4899e8ddfbeacdfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d88c8d9cd8d6c4beacd191909b9aa99e938a9adfc2dfd8
Which convert to :
decoded function to insert the iframe |
And here is :
Encoded malicious URL |
978b8b8fc5d0d085878d909393d19b90919685d19193d08c8b9e8b8cd0
which convert :
Encoded URL decryption using Kahu SecurityConverter Tool. |
http://zxroll.doniz .nl/stats/
I'd love to see the stats of that Cool EK instance...the Traffic must have been insanely huge.
For people following that threat you have surely recognized the gang that was behind the /read/ Cool EK :
Here is their EK use history :
2012-04-09 and before BH EK --> 2012-08-23 Sakura /forum/load/ --> 2013-09-07 Sweet Orange --> 2012-09-19 BH EK (when 2.0 goes out) --> 2013-10-23 Cool EK /r/ then /read/ --> 2013-01-13 Sweet Orange --> 2013-02-21 Cool EK (when new version come - /sales/ /indoor/ ) --> 2013-03-10 Sweet Orange --> 2013-07-30 Cool EK /water/
Below is a Timeline (direct link) to illustrate that :
And here are the other "Talking" Design - sorted alphabetically (country code) :
Austria: http://youtu.be/26ssPFefMQM
Canada: http://youtu.be/z3ROqM5lYBE
Switzerland: http://youtu.be/6ehaniYgjVs
Deutschland: http://youtu.be/_y4U3-Syx_g
Denmark: http://youtu.be/9_AWL4TLrhA
Spain: http://youtu.be/6X3j1v7sFoo
Finland: http://youtu.be/fhpXftI8Q_k
France: http://youtu.be/80k2-34wXAw
Great-Britain: http://youtu.be/WBKB-aq_Z0M
Ireland: http://youtu.be/AP2_GPBhfbQ
Italy: http://youtu.be/07lvnjXJ-Z8
Luxemburg: http://youtu.be/mfYporm3xJI
Netherlands: http://youtu.be/o_U2GOe3ozE
Norway: http://youtu.be/Cx4UeI-5Mzg
Poland: http://youtu.be/VBSuEsQZ-qw
Portugal: http://youtu.be/X7FSXk9HmLI
Sweden: http://youtu.be/VyGY7pXdJjc
Read more :
Recent Reports of DHS-Themed Ransomware - 2013-07-30 - US-Cert
Malvertising on Youtube.com redirects to EKs - 2013-07-30 - MalwareSigs
CBeplay.P : Now target Australia and moved to server side localization - 2013-02-21
Cbeplay.P targets US and AT, now talks to UK Citizens - 2013-02-08
Files :
A really nice analysis by Joe Sandbox Cloud (www.joesecurity.org)
You'll see the C&C call, Design, antiVM features and much more
Some samples (OwnCloud via goo.gl)
SWF from the malvertising
And here are the other "Talking" Design - sorted alphabetically (country code) :
Austria: http://youtu.be/26ssPFefMQM
Canada: http://youtu.be/z3ROqM5lYBE
Switzerland: http://youtu.be/6ehaniYgjVs
Deutschland: http://youtu.be/_y4U3-Syx_g
Denmark: http://youtu.be/9_AWL4TLrhA
Spain: http://youtu.be/6X3j1v7sFoo
Finland: http://youtu.be/fhpXftI8Q_k
France: http://youtu.be/80k2-34wXAw
Great-Britain: http://youtu.be/WBKB-aq_Z0M
Ireland: http://youtu.be/AP2_GPBhfbQ
Italy: http://youtu.be/07lvnjXJ-Z8
Luxemburg: http://youtu.be/mfYporm3xJI
Netherlands: http://youtu.be/o_U2GOe3ozE
Norway: http://youtu.be/Cx4UeI-5Mzg
Poland: http://youtu.be/VBSuEsQZ-qw
Portugal: http://youtu.be/X7FSXk9HmLI
Sweden: http://youtu.be/VyGY7pXdJjc
Read more :
Recent Reports of DHS-Themed Ransomware - 2013-07-30 - US-Cert
Malvertising on Youtube.com redirects to EKs - 2013-07-30 - MalwareSigs
CBeplay.P : Now target Australia and moved to server side localization - 2013-02-21
Cbeplay.P targets US and AT, now talks to UK Citizens - 2013-02-08
Files :
A really nice analysis by Joe Sandbox Cloud (www.joesecurity.org)
You'll see the C&C call, Design, antiVM features and much more
Some samples (OwnCloud via goo.gl)
SWF from the malvertising