Analyzing DotkaChef Exploit Pack

“DotkaChef” (aka DotCache, DotCacheF) was discovered by Chris Wakelin (@EKwatcher) several months ago. Today we noticed that several things have changed but it’s functionally the same.

If you look closely at the websites infecting visitors’ computers linked to “DotkaChef”, they are running Invision Power Board (IP.Board). It’s quite possible that cybercriminals have been targeting a vulnerability in old installations of IP.Board, specifically versions <= 3.3.4 (CVE-2012-5692 - Unserialized PHP Code Execution).

2013-12-19_01

When a website is successfully compromised, the “DotkaChef” Pack gets uploaded to the server in one folder with random characters. This appears to be a self-contained, portable exploit pack.

Back in June or so, the URLs looked like this (and thus its name):

website/upload/.cache/?f=atom.jar&k=2341993693027637&h=baf5291d12f88f53
website/upload/.cache/?f=site.jar&k=2341993693027615&h=baf5291d12f88f53
website/upload/.cache/?f=sm_main.mp3&k=2341993693027648&h=baf5291d12f88f53

Since then, the URL formats have changed and no longer use the “/.cache/” folder.

website/panel/js/fe0e2feefe/?=MDct5ibpFWbf12c8lzM1ATN4YDM1UDMwk zM89SZmVWZmJTZwUmZvMnavwWZuFGcvUGdpNnYld3LvoDc0RHa8NnZ
website/panel/js/fe0e2feefe/?f=a&k=3900550685053931
website/panel/js/fe0e2feefe/?f=s&k=3900550685053919
website/panel/js/fe0e2feefe/?f=sm_main.mp3&k=3900550685053942

Let’s have a closer look…

The URL for the landing page has a bunch of random characters. This is actually base64 characters in reverse. Reversing and de-base64’ing the string reveals the following.

fs|http://website/panel/js/fe0e2feefe/|39005506850539|sm_main.mp3

The pipe character is used as a delimiter to separate out “fs”, the website path, a 14-digit “key”, and the payload. When the malicious URLs are generated, the “k” variable contains a 16-digit number with the 14-digit “key” as the base.

The “f” variable is associated with the malicious Java applet. This kit uses two Java exploits and the “a(tom.jar)” and “s(ite.jar)” values correspond to the exploit to be used.

If you were to hit the page with an incorrect URL, you will see this error message:

2013-12-19_02

When the correct URL is used, you will get the landing page. The landing page has Javascript which uses JJEncode for its obfuscation which you can see below (I wrote about how to deobfuscate this earlier):

2013-12-19_03

The deobfuscated version looks like this. It’s calling up the “atom.jar” exploit which abuses CVE-2013-2423.

2013-12-19_04

Using JD-GUI, we can see that there’s little in the way of obfuscation as it’s using base64 to convert its strings. It reads in the URL from the landing page and sends the payload to the computer.

2013-12-19_05

The other Java applet is basically doing the same thing. This applet exploits CVE-2013-1493.

2013-12-19_06

The payload comes down with the “mp3” file extension that gets renamed then executed. You will get one of two payloads – Zbot or Zaccess.

Finally, the exploit pack keeps track of successful and unsuccessful loads. Each row contains the key, a pipe delimiter, and a status code. The status code of “466” indicates it was a successful load.

2013-12-19_07

By reviewing the logs, there are quite a number of successful loads making this a simple yet effective exploit pack.

File: atom.jar (CVE-2013-2423)
MD5: 36D157C2EE62CF4BABA43497983739AA
VT: 3/49

File: site.jar (CVE-2013-1493)
MD5: FDCF4174445C303FC20494D9B24D7E7D
VT: 5/48

File: bb.mp3 (Zbot)
MD5: 29028CB338DFA191574939D281F1B385
VT: 24/47

File: sm_main.mp3 (Zaccess)
MD5: B6B0F0FE2033608579B4FA55D2993486
VT: 36/49

This entry was posted in Exploit Packs, Malscript and tagged , , , , . Bookmark the permalink.