New Exploit Pack Spotted
Another new exploit pack has been found in the wild. This pack uses two interesting methods to obfuscate its contents. Both methods aren't brand new but interesting nonetheless. Let's have a closer look...
Here's the infection chain:
The first two URLs are redirectors to the main landing page which is "qrsop326821". When I first looked at this HTML page, I thought the file got corrupted in Wireshark but it's actually not.
And this is what the deobfuscated code looks like:
Here's what the transformation looks like since it's rather difficult to describe.
As you can see from the landing page, there's two sets of exploits -- Java and PDF. The PDF contains the LibTiff exploit and shellcode which does a download and execute of the final payload file. When the Java applet appears to use two exploits and if successful then it downloads a JPEG file that doesn't have the correct magic number.
Opening the file with a hex editor shows that every other byte is a garbage character and that this is really an executable.
I updated a program I wrote earlier to extract every other byte and dump it to a file.
These are the results I got:
File: rke80886.jar (CVE-2012-4681, CVE-2012-1723)
VT: 1 / 43
File: lib1.pdf (CVE-2010-0188)
VT: 4 / 44
File: EXE Payload
VT: 27 / 44
This one hasn't been identified yet so if anyone knows its name, please drop me a note.