8×8 Script Leads to Infinity Drive-By

The “8×8″ script I’m referring to includes a link that looks like this:
hxxp://www.example .com/JB3xd6iX.php?id=87342871

And can be detected using a regular expression that looks something like this:
/^.*\/[a-z0-9A-Z]{8}\.php\?id=\d{8}$

One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. Another set redirects users to Infinity EK (aka “RedKit”, “GoonEK”).

First, let’s see how this drive-by looks like from the users’ perspective.

The user visits a website that’s been compromised. On one of the webpages, there’s a script with the filename containing eight random characters followed by an ID value which has eight digits (i.e. the “8×8″ script).

2014-04-06_01

The user is then redirected to another legitimate website that’s been previously compromised. This site serves up a script that leads to another site.

2014-04-06_02

This site is also legitimate and compromised. It houses the Infinity Exploit Pack script which tries to exploit the user’s browser.

2014-04-06_03

This is what the deobfuscated version of the landing page looks like. If the exploit is successful, there’s a request for the malicious payload file back to the same site.

2014-04-06_04

Infinity has an arsenal that includes two Java, two MSIE, Flash, and Silverlight exploits. The author(s) have been adding updates to their arsenal as well as modifying the links and infrastructure since the last time I analyzed it as RedKit v2.0.

Now let’s look at what’s happening behind the scenes. A webmaster provided me with suspicious files from his compromised website after I informed him his site was redirecting users to a drive-by. (I promised I would not reveal his site name so I redacted and/or modified the following screens.)

Turns out his site was compromised two different times. The first time, the attacker modified at least one HTML page and inserted the following script tags:

2014-04-06_05

Sometime later, the/another attacker modified the index.php file and inserted a PHP script that would download content from another website.

2014-04-06_06

Running this script, makes a request to a backend server and produces a seemingly endless number of new links:

2014-04-06_07

I was very fortunate that the compromised website had both the infected index.php file and the 8×8 script on his server. The link above leads to a PHP script on another site but I’m pretty certain it’s the same as the one below (which is also the same as the one I wrote about earlier).

2014-04-06_08

Deobfuscating the script is no longer a chore so I can extract the contents of the encrypted config string.

2014-04-06_09

Running it produces the TDS IP, key, and other information:

2014-04-06_10

So this is what’s going on…

2014-04-06_11

Here’s a series of packets showing this:

2014-04-06_12

The scripts are all the same and therefore appears to be the work of the same gang behind RedKit v2, Box Fraud, Goon EK, and Infinity.

Posted in Exploit Packs, Malscript | Tagged , , , , | Comments Off

Wild Wild West – 04/2014

sorry this is so late. added the following packs:

“Zuponcic”
Infinity (aka “RedKit”, “GoonEK”)
Ramayana (aka “DotkaChef”, “DotCacheF”)
RSPandorasBox
Top-Exp (aka “Magnitude”)

wildwildwest_0414

Posted in Exploit Packs | Comments Off

VBE Script Leads to Bank Fraud

I only stumbled on this at the middle so I don’t know how this is being targeted to users. Apparently this particular scam has been out there since at least August 2013 and it’s still up and running.

This is a VBScript Encoded file (VBE) that starts off the fraud:

2014-04-05_01

And it looks like this:

2014-04-05_02

Using a VBE decoder, I can convert the file to get the following. You can go here or here for the decoder.

2014-04-05_03

There’s several functions in this script and the one at the top deobfuscates the content by doing some math to convert decimal values to ASCII. The AppdataPath and File1 variables look interesting so I just add this to the script:

2014-04-05_04

This pops up the deobfuscated values then quits before it executes anything further. Here’s the result which tells us where the file will be written to and where to download the file from.

2014-04-05_05

Let’s get the second VBE file and decode that one as well.

2014-04-05_06

While going through the script, this pops up:

2014-04-05_07

This turns out to be a proxy.pac malicious script! Downloading the third file, I get this obfuscated proxy.pac file.

2014-04-05_08

After I clean this up, here’s what we get:

2014-04-05_09

After analyzing the scripts, here’s what it does…it changes the proxy values in IE and Firefox browsers:

2014-04-05_10

Then, whenever the user visits one of the sites found in the proxy.pac file, they get redirected to a phishing page but the URL bar shows that they are at the right banking site.

2014-04-05_11

Truncating the path reveals an open folder that contain files that make up the phishing page which is a sign we truly are not on the legitimate site.

2014-04-05_12

Here’s what the real banking site looks like:

2014-04-05_13

Packet captures shows that our traffic is indeed being sent to the phisher’s site when we attempt to visit one of those Brazilian bank sites.

2014-04-05_14

Here’s information about the domains and files:

Domain: eua.bestworked[.]com
IP: 64.74.223[.]40

Domain: euas.bestworked[.]com:8082
IP: 64.74.223[.]40

Domain: mn.dmanwork[.]com:8082
IP: 8.5.1[.]49

Filename: update.vbe
MD5: a8f52fb1a543abf5ac18ae2dbc0351e8
VT: 3/48

Filename: seta.vbe
MD5: 3fc44dae258d0316179541db44d09ad7
VT: 4/51

Posted in Malscript | Comments Off

Scout — New Tool Released

Here’s another tool that you might find useful when analyzing potentially infected websites. Scout is Pinpoint on steroids. Scout uses the Pinpoint engine and includes a feature from Revelo that makes this more functional and…risky. Let me explain.

Pinpoint downloads webpage components akin to using wget or curl. Pinpoint does not render the content making this safe to use even without a VM. Scout, on the other hand, gives you the ability to render content in select files so it can collect the URLs it’s trying to access (Revelo already includes this feature). This is great for those who don’t know how or have the time to deobfuscate Javascript. You just render the script and catch the results. However, if the file contains exploit code, your computer could get infected.

I did consider simply adding the new features to Pinpoint and calling it v2.0 but this could potentially cause confusion since Pinpoint is a safe tool to use so I decided to leave Pinpoint alone and create a new tool called Scout (I’ll still maintain both code bases). As its name implies, Scout seeks information about your target and does so rather progressively.

One other feature I thought would be useful was to give Scout the ability to take a screenshot of the webpage. The best and safest method I could come up with is using PhantomJS. It uses the WebKit browser engine so it’s way more safer than IE but there is added risk since the infected/malicious page has to be completely rendered. That’s the other reason why I wanted to separate this from Pinpoint.

So let’s see this in action…

Here’s Scout with its two new features:

2014-03-25_01

To activate the screenshot capability, download PhantomJS from here and copy the Windows executable to the same folder that Scout resides in. Now the “Take Screenshot” option lights up and you can enable and disable it as you choose. Scout will automatically create “rasterize.js” which is used to produce the screenshot. You can modify it (e.g. change its user-agent string) and Scout will use it going forward.

2014-03-25_02

Here’s what the workflow might look like. Enter a URL then click on start.

2014-03-25_03

After Scout pulls down the main page, it will launch PhantomJS and perform a screenshot of the site which gets saved as a PNG file:

2014-03-25_04

Viewing Scout’s capture file, we see some obfuscated Javascript in the source code. Since the Pinpoint engine won’t render it, we don’t know what this does.

2014-03-25_05

Copy/paste the Javascript and save it to an HTML file. Be sure it has the <script></script> tags (or <html></html> tags as necessary).

2014-03-25_06

Click on Tools > HTTP Request Simulator, choose the file, then click on Start.

What I’ve done is include some of Revelo’s functionality into Scout. There is a built-in WebBrowser Control that renders the URL. As the WebBrowser Control makes requests to external content (e.g. Javascript, CSS, images, etc) or redirects the browser depending on the webpage contents, Scout will collect the links then drop the HTTP responses before it reaches the browser. This should, in theory, prevent your computer from getting compromised but I can’t guarantee it so you ought to run this in a VM.

2014-03-25_07

Here’s another example…

First, let’s paste in the URL and click on Start:

2014-03-25_08

Here’s the screenshot of the site:

2014-03-25_09

Reviewing Scout’s capture file, we see Javascript (exploit code) from Infinity EK:

2014-03-25_10

Extract the script from the page and save it to an HTML file:

2014-03-25_11

Since this has a lot of scripts, the internal WebBrowser Control may not be able to handle it so you can optionally use your Internet Explorer browser. When you run Scout and click on Tools > HTTP Request Simulator, Scout will automatically set IE’s proxy setting to “localhost:8080″ (which is changed back after you close HTTP Request Simulator). All you need to do is leave the “File” field empty, click on Start, then open the HTML page in IE (note: you can do this with Firefox or Chrome too as long as you set the proxy settings yourself).

Here we see IE executing the js.html file with the exploit code. Scout’s HTTP Request Simulator is catching the requests, dropping the responses, and displaying the results. The VM did not get infected but I’ll never run this on my host computer, just in case. And neither should you.

2014-03-25_12

If you don’t see anything in the “results” box then maybe the script doesn’t have any redirect code or doesn’t reference any external content. Or maybe it relies on jQuery in which case you can paste in the jQuery script into your file.

You can download Scout from tools page.

By the way, I do appreciate all of your emails in support of Pinpoint! I’m glad it is helping you with your analysis and I hope Scout can further your research.

Posted in Tools | Tagged , , , , , | Comments Off

Converter Updated

The latest version includes several new features and bug fixes:

  • Fixed Mixed Octal to Hex function to handle null char at the end
  • Fixed and enhanced code related to keep/strip filtering functions
  • Fixed unescape handling of null bytes

Unescape File
Under the File menu > Unescape File allows you to unescape a text file. You have the option to beautify the Javascript using JSBeautifier (Note: if it’s not Javascript, you will likely get disappointing results).

2014-02-17_01

Convert Binary File
Added the ability delete bytes in the File > Convert Binary File function. The bytes are deleted before any action is taken.

2014-02-17_02

Sort Text
Under the Format menu > Sort Text you can now sort by characters, rows, or comma-delimited values.

2014-02-17_03

Range Search/Replace
Under the Tools menu > Range Search/Replace enables you to do a search and replace using one of three methods. While you can also do this using regex in Search/Replace Text, this is another way I thought I’d add.

2014-02-17_04

2014-02-17_05

Key Search/Convert – Calculate Distance
Added a method to have Converter try to automatically find a multi-byte XOR key. You can read this blog post where I describe how this works.

Just import a binary file that you suspect is an executable. You only need the first 1K bytes so leave that checkbox at the top checked. Click on the “Calculate Distance…” option. It will automatically paste in the DOS header string and set it to auto mode. Converter will start using offset 1, 2, 3…until the (near) length of your search string. I found it generated too much false positives if I used the entire length. You can get false positives when you have a short search string or large offset.

2014-02-17_06

Converter, File Converter, and Data Converter can all be downloaded from here. Thank you for your support!

Posted in Tools | Tagged , , | Comments Off