2013-08-01 - Landscape

Cbeplay.P History - increased activity fuelled by a Youtube Malvertising - Voice from Google Translate

CBeplay US Design 2013-08

On 2013-07-30 I heard from Chris Wakelin about  Youtube malvertising via  zxroll.doniz .nl/stats/ - 188.120.236.219

29182 | 188.120.224.0/20 | ISPSYSTEM | RU | BANGUP-MOSCOW.RU | ISPSYSTEM CJSC

to a Sweet Orange on 217.23.138.42
15756 | 217.23.128.0/19 | CARAVAN | RU | CARAVAN.RU | CJSC CARAVAN-TELECOM

<edit1 2013-08-02> Got contact by mail telling me those redirect are as old as 2013-07-22 and then found  a tweet from @MalwareSigs about that on 2013-07-26</edit1>

I took a look at the payload : CBeplay.P.
( what's new : US design : DHS Themed, Google Translate voices, newly targeted countries with old Urausy Design - See at the end)

Here is the US design featuring the Google Translate voice (seems a Y was missing ;) ) :
http://youtu.be/gnpMkftUlyk


C&C ?
5.104.106.79 - 46.165.201.27 (cf  Joe Sandbox Cloud analysis at the end)

The US-Cert released a notification on 2013-07-30
"US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild."

Would be a big surprise if those dots are not connected.

The day after Chris Wakelin was seeing the same kind of Malvertising with same intermediate redirector xxx.nookid .nl/stats traffing for a new Cool EK on 142.0.4.29 with Subfolder /water/

Couldn't replay from Youtube.
Here Cool EK /water/ dropping CBeplay.P with a Styxy Jar from intermediate Redirector

Same day on Twitter Shay Harding notified about the increase of Cool EK...



@kellewic tweet about /water/ Cool EK

Guess which one : /water/ !
Asking him if he could find the referrer he told me it was a Youtube link.
All payload are in fact CBeplay.P

<edit2 2013-08-04>
I've been given a pcap of the infection (thanks : @ph1lv  !!). In all request we can see this ID :
ca-pub-6219811747049371

One swf is still available there (pastebin with the link), and in this zip (owncloud via goo.gl)  :

Malvertising Displayed on Youtube that could drive you to
the CBeplay.P  Sweet Orange or later Cool EK
Malicious content is hex charcodes XORed with 255 (thanks Chris Wakelin )

decryption function
encoded function to insert the iframe
(no user interaction needed to load bad redirection)
String is :

998a919c8b969091d7d684899e8ddfbadfc2df9b909c8a929a918bd19c8d9a9e8b9aba939a929a918bd7d896998d9e929ad8d6c49b909c8a929a918bd19d909b86d19e8f8f9a919bbc9796939bd7bad6c4899e8ddfbeabaddfc2dfbad19e8b8b8d969d8a8b9a8cc4899e8ddfbea8dfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d888969b8b97d8d6c4bea8d191909b9aa99e938a9adfc2dfd8cfd8c4beabadd18c9a8bb19e929a9bb68b9a92d7bea8d6c4899e8ddfbeb7dfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d8979a9698978bd8d6c4beb7d191909b9aa99e938a9adfc2dfd8cfd8c4beabadd18c9a8bb19e929a9bb68b9a92d7beb7d6c4899e8ddfbebddfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d8998d9e929a9d908d9b9a8dd8d6c4bebdd191909b9aa99e938a9adfc2dfd8cfd8c4beabadd18c9a8bb19e929a9bb68b9a92d7bebdd6c4899e8ddfbeacdfc2df9b909c8a929a918bd19c8d9a9e8b9abe8b8b8d969d8a8b9ad7d88c8d9cd8d6c4beacd191909b9aa99e938a9adfc2dfd8

Which convert to :
decoded function to insert the iframe
http://pastebin.com/raw.php?i=3xz8JdGG

And here is  :
Encoded malicious URL
the encoded url :

978b8b8fc5d0d085878d909393d19b90919685d19193d08c8b9e8b8cd0

which convert :

Encoded URL decryption using Kahu Security Converter Tool.
to

http://zxroll.doniz .nl/stats/

</edit2>



I'd love to see the stats of that Cool EK instance...the Traffic must have been insanely huge.
For people following that threat you have surely recognized the gang that was behind the /read/ Cool EK :

Here is their EK use history :
2012-04-09 and before BH EK --> 2012-08-23 Sakura /forum/load/ --> 2013-09-07 Sweet Orange --> 2012-09-19 BH EK (when 2.0 goes out) --> 2013-10-23 Cool EK /r/ then /read/ --> 2013-01-13 Sweet Orange --> 2013-02-21 Cool EK (when new version come - /sales/ /indoor/ ) --> 2013-03-10 Sweet Orange --> 2013-07-30 Cool EK /water/


Below is a Timeline  (direct link) to illustrate that :
And here are the other "Talking" Design - sorted alphabetically (country code) :
Austria: http://youtu.be/26ssPFefMQM
Canada: http://youtu.be/z3ROqM5lYBE
Switzerland: http://youtu.be/6ehaniYgjVs
Deutschland: http://youtu.be/_y4U3-Syx_g
Denmark: http://youtu.be/9_AWL4TLrhA
Spain: http://youtu.be/6X3j1v7sFoo
Finland:  http://youtu.be/fhpXftI8Q_k
France: http://youtu.be/80k2-34wXAw
Great-Britain: http://youtu.be/WBKB-aq_Z0M
Ireland: http://youtu.be/AP2_GPBhfbQ
Italy: http://youtu.be/07lvnjXJ-Z8
Luxemburg: http://youtu.be/mfYporm3xJI
Netherlands: http://youtu.be/o_U2GOe3ozE
Norway: http://youtu.be/Cx4UeI-5Mzg
Poland: http://youtu.be/VBSuEsQZ-qw
Portugal: http://youtu.be/X7FSXk9HmLI
Sweden: http://youtu.be/VyGY7pXdJjc

Read more :
Recent Reports of DHS-Themed Ransomware - 2013-07-30 - US-Cert
Malvertising on Youtube.com redirects to EKs - 2013-07-30 - MalwareSigs
CBeplay.P : Now target Australia and moved to server side localization - 2013-02-21
Cbeplay.P targets US and AT, now talks to UK Citizens - 2013-02-08

Files :
A really nice  analysis by Joe Sandbox Cloud (www.joesecurity.org)
You'll see the C&C call, Design, antiVM features and much more

Some samples (OwnCloud via goo.gl)
SWF from the malvertising