On the 2014-01-28 Nathan Fowler warned about a drive-by on eHow.net and Livestrong.com.
It was serving a payload triggering TDLv4+ traffic signatures (its check-in over SSL) connected to those reports from a 2012 campaign :
Note : in the 020431, the Exploit Kit is GrandSoft.
C&C for the payload :
16265 | 126.96.36.199/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
|pDNS on the host|
(perfectly match pattern in the alert 020496)
I checked eHow and Livestrong. Where I was expecting malicious ads, the source of the driveby was in fact an injected Iframe :
|Iframe at end of a livestrong Page|
|Same iframe on eHow|
|Successful pass in the Exploit Kit that got fed by eHow and Livestrong.|
WinXP Flash 10.3.183.20 - IE 8
13768 | 188.8.131.52/22 | PEER1 | US | IX.IO | DAIGER SYDES GUSTAFSON LLC
It's a Flash only Exploit kit that was serving version 10.1.x -> 11.2.x
Other version of flash would get an empty reply at the third call :
|Server side decides not to serve the exploit to flash 11.7.x.x|
CVE-2012-0779 & CVE-2012-1535 as candidates...or something newer with server side block to avoid making too much noise.
I asked for help and Timo Hirvonen from F-Secure figure out it was CVE-2013-5330.
That one was patched the 2013-11-12 with the CVE-2013-5329 which appeared recently in Angler EK
So we have something like :
|CVE-2013-5330 path in Flash Only EK|
200 OK (text/html)
GET http://asmmedia .net/swfobject.js
GET http://asmmedia .net/1fd67f39/11/2/
200 OK (text/html)
|Call for the xml|
GET http://asmmedia .net/engine/68d14faf.xml
200 OK (text/html)
|Call for the Exploit|
GET http://asmmedia .net/f6b5da0c.swf
200 OK (text/html) 61670074963d99b0f72a16e434e12dde
|Potected by secureSWF|
|Flash file in FFdec|
A downloader : Eset : Miep.B - Microsoft : Lurk [Edit : Apparently not tied to the RU focused lurk]
This campaign raises some questions :
- It's blinking. Didn't check long enough to have some patterns but in 24 hours it was up only 6-7 hours.
- They only go Flash...Weird. Seeing the high rank website used for traff, difficult to think it can be a "working area" for a coder.
- They do not attack as widely as they could (if it's indeed a fully working CVE-2013-5330) they could serve up to 11.9.900.117 which is only few months old.
or the main goal is : staying below the radar...If so : Goal achieved. It would be still active if the payload was as stealth as the EK itself. From feedback I got there is more than 60 referers. For instance eHow (Alexa 116 US/292 world) was redirecting since at least 2013-12-09 and this exploit kit is active since beginning of November...(don't know if it was already CVE-2013-5330 at that time...if so then it was an unpatched vuln! ).
Am also wondering how they compromised those websites..
|Demand Media Sites|
Cracked ? how strange is that
Cracked.com Serving Malware in Drive-By Downloads - 2013-11-14 - Brian Donohue
It would be nice to have some telemetry on Asmmedia .net/*.swf/js calls. Anyone ? :)
|Telemetry from Microsoft in :|
A journey to CVE-2013-5330 exploit
Based on some data found on the C&C, owner of the payload are dealing with "decent" numbers
|Installs Stats found on the C&C.|
11/10/2012 --> 23982
Would say 2nd Stage installs or something else
but not Miep cause numbers can't match for January.
(If you happen to work on this, I'm always happy to learn more).
Thanks a lot : Nathan Fowler, Timo Hirvonen (F-Secure), Chris Wakelin and Will Metcalf (Emerging Threats) for their help
Post Publication Reading :
Malware Analysis of the Lurk Downloader - Brett Stone-Gross - Dell SecureWorks - 2014-08-07
A journey to CVE-2013-5330 exploit - MPC (Microsoft) - Chun Feng - 2014-02-10