2014-09-14 - Study

Say Hello to Astrum EK

Artist’s impression shows the structure of the Milky Way
NASA/JPL-Caltech/ESO/R. Hurt

I was chasing something else (the Kovter adfraud's Sweet Orange thread - Kovter is not a ransomware anymore (since at least march 2014)) when I received bullets from an undocumented "weapon" : an exploit kit that seems to be  private (for now?) and based on the infection path (between an Adxpansion badvert on a porn website and the https goo.gl link to the landing ) in use by a group that was traffing to Reveton team's EK threads (so via Cool then Angler EK) :

Say Hello to Astrum EK

Astrum EK 2014-09-06 - Real Name (not chosen)
(Fast looking at the URI pattern we may find it a little Angler-ish...but it's not)
Astrum will accept to serve a landing only once per IP and is also denying connection from Tor and (at least) Russia.
The lifetime of the landing seems a little higher than on Angler or Nuclear Pack but where most of the time you need to fake some referer to avoid being rejected, with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored (and i guess that they are filtered out upstream anyway).
A fast search lets think it's in use since at least 2014-08-15

Now let's take a look at the bullets and the ballistic.

CVE-2014-0515 - CVE-2013-0634 (Flash) :

Those days it's the most successful vuln targeted in exploit kits, followed by CVE-2013-2551.

CVE-2014-0515 successful path in Astrum EK
2014-09-06

GET http://static.yarkiy-mir .org/duf5ibqshp.html
200 OK (text/html)

Piece of Astrum's Landing 2014-09-06
http://pastebin.com/Jc5k0kvi
JsBeautified : http://pastebin.com/gvjskkG2
Obfuscation in used as described by EKWatcher
An array of modifed-Base64 strings, that are each XORed with a different byte  and then inserted (in random order) into the JS later - The Base64 is using "A-Za-z0-9-:" instead of "A-Za-z0-9+/"

After deobfuscating the "div" value via the function t (using malzilla for instance) we get this :
http://pastebin.com/PfAjuvPR

There are sweet piece of code like those showing they had researcher/bots etc in mind while writing it :
On landing load, script will try to catch debugging tools
(even phantom....)



and also check via loadXML if there are obvious researcher tools launched or if it's running in a VM.
check for Kaspersky BHO

And here is the data that will be posted  :

Fast sum-up of the data that will be encoded and posted in next call.
Comment are obviously not in the original code


POST  http://static.yarkiy-mir .org/IVmTAccT_rdKYvlrrCSb3UJl-G-gc5uJSzOmaP8jldlPMKNo_iuSh1J_qjr5Ot7fTg..
200 OK (text/html)  CVE-2013-2551  and creation of the flash object.

Posted data (as Neutrino was doing) :

Which before encoding should look like :

Data sent to the Exploit kit on second call 

Astrum - 2014-09-06
Piece of the Post Call reply.
The obfuscation in use is the same as in the landing.
Once decoded here is the Flash insertion :
Astrum - Inserting the flash element.
http://pastebin.com/GYehkmaC

GET http://static.yarkiy-mir .org/kZThMKU15rv6r4tazgKD0fKoil7CVYOF-_7UWZ0FjdX__dFZnA2Ki-Ky2AWYHMbT_g..
200 OK (application/x-shockwave-flash)  3fb2c3750d51268781fa608a42c3e4d7 CVE-2014-0515 & CVE-2013-0634 (Thanks to Arseny Levin (Spiderlabs) for the help)

GET http://static.yarkiy-mir .org/CjJXSImjvethCT0i4pTYgWkOPCbuw9jVYFhiIbGT1oVkW2chsJvR23kUbn27ip2DZQ..
200 OK (application/octet-stream) Once Decoded: 9d9eb3ceffd6596ebdf7fc9387cd5cb1 - Reveton

Xored Payload. Key : 98EB68248A2815474CFE8902C0603770
I didn't check that deeply yet, but it seems you will get a unique Xor key for each pass.


CVE-2013-0074/3896 (Silverlight) :


Astrum EK -  2014-09-06
Silverlight Successful path



GET http://asset.yur88 .com/xawufyinv3lqr.html
200 OK (text/html)

To give an idea of the data being sent to the Exploit Kit
on the following post request. (md5 is different) 

POST http://asset.yur88 .com/xcC2oZh5Lpbyq4bPox1Hq_uv3M-oGkXzoa_Vy_IaEvr4_IyZokFE_Lbmj5qmUA7-qg..
200 OK (text/html)

Astrum - 2014-09-06
Piece of the Post Call reply launching Silverligt and CVE-2013-2551 attack
The silverlight call, once decoded :

Astrum : Post reply silverlight call once decoded
2014-09-06
http://pastebin.com/enPjFN96


GET http://asset.yur88 .com/06RCA_viDC7kz3JtwIZlE-3LKG3LgWdLt8shaZGBMELumHg7wdpmRKCCeD_AyyxGvA..
200 OK (application/x-silverlight-app) 3b82c622a343317d14161206aa9f2fce

Silverlight Exploit
sl.dll : e332a8d62288b80f939fff7d50ac33d3

GET http://asset.yur88 .com/sKJTobP38yWHyWPPiJOaGI7NOc-DlJhA1M0wy9mUz0mNnmmZic-ZT8OEaZ2L3tNN3w..
200 OK (application/octet-stream)  9d9eb3ceffd6596ebdf7fc9387cd5cb1 Reveton again
Xor key : BFAD0475157E8E15F72903B5E80649B2 

CVE-2013-2551 :


CVE-2013-2551 successfully fired by Astrum EK
2014-09-11


GET http://img.gestionartepyme .com.ar/omhq1t4pjx3fac.html
200 OK (text/html)


POST http://img.gestionartepyme .com.ar/C1BzyerkwKg1aE_30oT_kDU9S6TYgfyXZj0SqIGFqsUzbEzzgNv8w3h2SvLUzeDAZA..
200 OK (text/html)
After a first pass of decoding :

Piece of CVE-2013-2551 after first decoding pass.
http://pastebin.com/g847kaSX



GET http://img.gestionartepyme .com.ar/Wi-S--HJ20lkF67F2ankcWRCqpbTrOd2N0LzmoqosSRiE63Bi_bnIikJq87f4PshNQ..
200 OK (application/octet-stream) a668806b4be0e3b02e3adf0130b70bd0 once decoded (reveton)
Xor Key: 3FF52A9A6B4C3E3DE93AD7183C0DFFA6

Payload written in %temp%\tmp1.log


If lock screen is activated you'll get for instance in the us :
Reveton - Screen locked - 2014-09-11 US.

CVE-2014-0322 :
For some reason I couldn't get that one working properly.

CVE-2014-0322 fired by Astrum
But unsuccessful.
I'll update if i get a successful pass.

GET http://img.gestionartepyme .com.ar/zy6qjw78b3f4vus.html
200 OK (text/html)

Posted data after the landing, whispering the server to try
CVE-2014-0322 - (md5 is different) 


POST http://img.gestionartepyme .com.ar/Nly0S9lDj4daNYQm6nfh71U1jCjjc-buCzLSc-Uht-8IbI935Hm07UV6jXDnaq_vWQ..
200 OK (text/html)

Obfuscated piece of code to trigger CVE-2014-0322
Astrum 2014-09-11
I won't put the decoded one ;)

Piece of the B64 encoded shellcode


CVE-2010-0188 :


Astrum firing CVE-2010-0188 (and Flash exploit also)
2014-09-11


GET http://assets.dance .com.ar/oljm3dz7pnh.html
200 OK (text/html)



Decoded posted data


POST http://assets.dance .com.ar/ZQc75hcLl-kOZATbKD-u1VpjA4kiO6-GDjgG2itsr4ZcOgeMKzOohBYhAt0pIreBCg..
200 OK (text/html) 

Encoded part of the Post reply in charge of the call for CVE-2010-0188
Astrum - 2014-09-11
Once decoded :

Iframe called for CVE-2010-0188


GET http://assets.dance .com.ar/FCNKh1wkpvl_QHW6YxCfxStHcuhpFJ6Wfxx3u2BDnpYtHnbtYByZlGcFcLtiDYaRew..
200 OK (text/html)


Obfuscated : creation of the PDF object
Decoded:

Deobfuscated call for PDF


GET http://assets.dance .com.ar/4RkrZSI07MGKehRYHQDV_d59EwoXBNSuiiYWWR5T1K7YJBcPHgzTrJI_ElAfHcypjg..200 OK (application/x-shockwave-flash) (CVE-2013-0634/2014-0515)

GET http://assets.dance .com.ar/DQT9jPZKYcJmZ8KxyX5Y_jJgxePDelmtZjvAsMotWa00OcHmynJer34ix7DJY0GqYg..
200 OK (application/pdf) CVE-2010-0188 a3aa7a4499e7b89768ee82ea5c3c8b4a

We have the same kind of obfuscation here that in the landing and post response.

Object in the PDF containing the Encoded data

Piece of js in charge of deobuscating and triggering the exploit


GET http://assets.dance .com.ar/jnK3hV3Yt6HlEYi4YuyOnbEWj-po6I_O5U2KuWG_j863T4vvYeCIzP1UjrBv8ZfJ4Q..
200 OK (application/octet-stream)

GET http://assets.dance .com.ar/DqVkvx0HOxZlxluCIjMCKjHBXNAoNwN5ZZpZgyFgA3k3mFjVIT8Ee32DXoMhLht-YQ..
200 OK (application/octet-stream) Decoded : 154a5d50ee032dc32e4c64ecbde0eaa1 Reveton

Note that both payload (flash and PDF) in that pass have same Xor key ( 919DCE47A3DBD2518B2F1088604AE0DA )


No Java ?

This exploit kit had some java few weeks ago (CVE-2012-0507, CVE-2013-2460, CVE-2013-2465 - if you make a search on this IP in your log you might figure it ) but it seems java is not exploited anymore.
As I assumed for Flash EK, it's a trade of a now small percentage of infection for more stealth ( >> infection chain last longer >> less rebuild).


The exploitation Graph should be something like :

Astrum EK - Exploitation graph assumption
2014-09-14


Files :
AstrumEK_2014-09-14.zip (Owncloud) 
AstrumEK 4 pcap (Owncloud) thanks to Fiddler2Pcap written by Will Metcalf (Emerging Threats)

PS: If you have some telemetry on this IP : 107.150.24.107 I would be really interested in the numbers. Seeing the infection path, I think traffic should be quite big.