8×8 Script Leads to Infinity Drive-By

The “8×8” script I’m referring to includes a link that looks like this:
hxxp://www.example .com/JB3xd6iX.php?id=87342871

And can be detected using a regular expression that looks something like this:
/^.*\/[a-z0-9A-Z]{8}\.php\?id=\d{8}$

One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. Another set redirects users to Infinity EK (aka “RedKit”, “GoonEK”).

First, let’s see how this drive-by looks like from the users’ perspective.

The user visits a website that’s been compromised. On one of the webpages, there’s a script with the filename containing eight random characters followed by an ID value which has eight digits (i.e. the “8×8” script).

2014-04-06_01

The user is then redirected to another legitimate website that’s been previously compromised. This site serves up a script that leads to another site.

2014-04-06_02

This site is also legitimate and compromised. It houses the Infinity Exploit Pack script which tries to exploit the user’s browser.

2014-04-06_03

This is what the deobfuscated version of the landing page looks like. If the exploit is successful, there’s a request for the malicious payload file back to the same site.

2014-04-06_04

Infinity has an arsenal that includes two Java, two MSIE, Flash, and Silverlight exploits. The author(s) have been adding updates to their arsenal as well as modifying the links and infrastructure since the last time I analyzed it as RedKit v2.0.

Now let’s look at what’s happening behind the scenes. A webmaster provided me with suspicious files from his compromised website after I informed him his site was redirecting users to a drive-by. (I promised I would not reveal his site name so I redacted and/or modified the following screens.)

Turns out his site was compromised two different times. The first time, the attacker modified at least one HTML page and inserted the following script tags:

2014-04-06_05

Sometime later, the/another attacker modified the index.php file and inserted a PHP script that would download content from another website.

2014-04-06_06

Running this script, makes a request to a backend server and produces a seemingly endless number of new links:

2014-04-06_07

I was very fortunate that the compromised website had both the infected index.php file and the 8×8 script on his server. The link above leads to a PHP script on another site but I’m pretty certain it’s the same as the one below (which is also the same as the one I wrote about earlier).

2014-04-06_08

Deobfuscating the script is no longer a chore so I can extract the contents of the encrypted config string.

2014-04-06_09

Running it produces the TDS IP, key, and other information:

2014-04-06_10

So this is what’s going on…

2014-04-06_11

Here’s a series of packets showing this:

2014-04-06_12

The scripts are all the same and therefore appears to be the work of the same gang behind RedKit v2, Box Fraud, Goon EK, and Infinity.

This entry was posted in Exploit Packs, Malscript and tagged , , , , . Bookmark the permalink.