2013-07-01 - Evolution

A "Styxy" Cool EK !

Around 2013-04-27 the prolific "Reveton" Cool EK suddenly became silent. The Ransomware was then pushed in SofosFO and Sweet Orange.

At end of may another Cool EK appeared, operated by another group and with some code that looks like older than last seen version (could be source leak/sell/share). Domains in .us or .pw and path in /blogs/ & /more/.

/more/ - /blogs/  Cool EK (end of May 2013 - beg of June 2013)
pushing for instance : d525f130bb311ed0306f3e3be7c5828a

That one was not widely spread hence not really easy to catch.

Since 10 days a new one appeared. Pushing reveton, many IP, same kind of domain name than THE cool EK.

Reveton Cool EK back in town - Here 2013-06-25

That Cool EK on URLQuery
That Cool EK on Malekal DB.
But nothing really new there except the come back.

<edit 1: 2013-07-30> Fresh Traffer stats Panel for shared by @paunchbighecher on twitter


Four days ago Chris Wakelin spotted some updates.
Finding a solid Referer I decided to take a look at it.... I first tried Lady Boyle (I miss her) but :

CVE-2013-1493 :
CVE-2013-1493 Path in Cool EK 2013-06-30 - e=11
GET http://neuronapodziemie.containmentmat .com:754/exception-field-assure.php
200 OK (text/html)

Surprise !! Yahoo Trends on the landing...that's known stuff !

Cool EK and Styx Landing Side to Side - 2013-06-30
Comparing the landing :

All the code (here you see only 10%) is almost exactly the same
It seems like after seing a "Blackholish" Cool, a "SofosFOish" Cool...we now have a Styxy Cool !

GET http://neuronapodziemie.containmentmat.com:754/nobody_reliance.html
200 OK (text/html)

"nobody-reliance" decoded
GET http://neuronapodziemie.containmentmat.com:754/absolute_adolescent-anticipate_unlike.html
200 OK (text/html)

The "PDFx"
Cool EK - Styx - intermediate state

GET http://neuronapodziemie.containmentmat .com:754/behalf_political_wheat-boring.html
200 OK (text/html)

GET http://neuronapodziemie.containmentmat.com:754/especially_haul-librarian.html
200 OK (text/html) (call for the jar) 

GET http://neuronapodziemie.containmentmat.com:754/loudly-ending_mix.jar
200 OK (application/java-archive) 511c1a7f6b361b0ca1145aef3a2ac2fb (CVE-2013-1493)
Note : AutoSigned Jar
Part of CVE-2013-1493 in Styxy Cool EK

GET http://neuronapodziemie.containmentmat.com:754/loudly-ending_mix.exe?e=11
200 OK (application/x-msdownload) e8bf637022b7c010dcf300faaaffac0b
 Dll entry : FG00 or XFG00
C&C call on & 169 -

Piece of the Reveton Design for France - 2013-06-30

Cool and Styx - CVE-2013-1493 pass Side to Side - 2013-06-30
And so on....Styx Styx Styx everywhere.
From what we saw we can already draw the graph of exploitation but i'll keep it for the end.

CVE-2013-0431 :

CVE-2013-0431 pass - Styxy Landing, SofosFOish Exploitation
(payload encoded)
Piece of CVE-2013-0431 in SofosFOish jar of Cool EK


CVE-2013-2423 in "Styxy" Cool EK - e=12
Its Call :

jnlp for CVE-2013-2423 jar call
jar : 297e7311353bb7e8099c495ec1afcfd3

Part of CVE-2013-2423 in the SofosFOish Jar of Cool EK
CVE-2011-3402 pass :

CVE-2011-3402 - e=16&h32
Payload URL as Parameter in Cookie

jZGRH (in Choose-convenient_annually-worthwhile) is a parameter to feed the function that create a Cookie
for Duqu like Font Drop path

CVE-2010-0188 (with CVE-2011-3402 attempt):

CVE-2010-0188 - e=3
Pdf nicely handled by wepawet.

And here is the
Exploitation Graph :

"Styxy" Cool EK Exploitation Graph - 2013-06-30

For CVE-2011-3402 see :
CVE-2011-3402 try back in october was like that.
IE10 and some new patch could also protect you

Note : no more Flash exploit (for now at least), no x64 duqu font drop.

We could almost name it Styx...
Server react as Cool EK. Admin interface is quite surely Cool...And quite surely no MongoDB/Git here.

Post Publication Reading :
Styxy Cool Exploit Kit: One Applet to Exploit All Vulnerabilities - 2013-07-25 - Security Obscurity

Files :
Styxy_Cool_2013-06-30 (OwnCloud via Goo.gl - 6 Fiddler)
<edit: see FAQ for password />
<edit : s/2493/2423 : thx a lot @SecurityObscurity />
<edit 2013-07-02 : added condition on CVE-2011-3402 infection based on comment />
<edit 2013-07-05 : soc eng added in the Exploitation Graph for Java not vuln - explain the failover on this jar />