Earlier this year, the CrimeBoss exploit pack was released in beta form. An updated version was recently seen in the wild.
Here’s the panel’s login screen which looks just like Crimepack.
But the rest of the pack is completely different. Here’s the landing page of the exploit pack:
The second layer is a little more challenging:
Once you deobfuscate the code, you’ll be rewarded with a neatly written script complete with comments. Here we see the three Java exploits it’s using:
The next day, the applets were replaced with similar ones:
As you can see from the above, the visiting computer gets hit by all three Java exploits:
“Social Engineering Applet”
The last applet is not actually an exploit. It merely tries to convince you that it’s okay to run the applet.
If you don’t have Java installed, CrimeBoss gives you a chance to install it.
The text above is in Portuguese, here’s a translation:
“You do not have Java or it is disabled.
This page has features that require Java to be enabled.
Click here to install the Java plugin.”
There are three interesting aspects to this exploit pack. The first is that this pack distributes the parts of its infection chain onto different domains. This makes the pack a little more resilient.
The second thing is that the payloads are renamed to look like graphic files. Unless you look at the magic numbers, it may not be very obvious that they are executables. Presumably they are hiding in plain sight on these servers. The dropped files range from backdoors to banking Trojans.
The third is that these Java applets download the malicious payload using a specific useragent string as seen here:
This translates to this:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0
Another applet used this one:
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
At the moment, it does not matter what your useragent string is; you can download these payload files at any time using any browser. But it seems plausible that in the future, CrimeBoss’ sites could restrict a direct download unless you have a matching UA string. This would join the other packs that employ a sessionID, cookie, referer, or UA string check to prevent direct downloads.
File: java7.jar (CVE-2012-4681)
File: javab.jar (CVE-2011-3544)