New Exploit Kit - EgyPack

First off, many thanks goes out to Paul for doing all of the legwork on this new discovery!

A new pack has emerged called EgyPack.

The malicious link points to, what looks like a JPEG file (careful, it may still be live):

hxxp://img130[.]imagehacks[.]es/img130/801/banner.jpeg?id=f8cdedaf861396068a58ab5a7f026e74

But it’s hardly an image file:

The author(s) appear to be very much into self-promotion as “egypack” is in a lot of places in the Javascript code. It uses a technique to grab content from textarea and div containers to build the final exploit code. You might have seen this technique used by other famous kits like PEK.

Here are some shots that show a cleaned-up version of the code:

There were several obfuscation methods used in this code but it was predominately character replacements wrapped in an onion. After peeling one of three layers, you get this. I would say that this is the heart of their decryption routine.

Here’s an example of one portion of the code that gets transformed twice to get to the final code:

The Java exploit appears to be CVE2010-0886 and downloads a DLL file called “jvm.dll”. When you disassemble this file, you will find that this too is a downloader.

It does a GET with the user-agent string of “Egypack/1.0” and a keep-alive time of 300 then drops a binary file called “egy.exe” to the %appdata% folder. Unfortunately, the site was not working so I can’t confirm its behavior nor what the final malware was.

Here’s a link to a Pastebin of one of the files of the pack: http://pastebin.com/f6aca1ef9

Posted on: 05/05/2011