Introduction

Earlier today, I ran across a compromised website with injected script from both the pseudo-Darkleech campaign and the EITest campaign. This is similar to another compromised site I reported back in June 2016, shortly after Angler exploit kit (EK) disappeared from the EK scene [1]. At that time, the pseudo-Darkleech and EITest campaigns had switched to Neutrino EK.

Earlier week, we saw reports on pseudo-Darkleech and EITest switching between Neutrino EK and Rig EK [2, 3]. These two campaigns have a history of switching EKs [4, 5, 6, 7]. Because of that, I generated infection traffic from both campaigns campaigns using the same compromised site." />
Shown above: Flow chart for one compromised website used by two campaigns.

In the images below, you" />
Shown above:" />
Shown above: Injected script from the EITest campaign near the end of the same page.

usly noted, Ive never seen both infections at the same time. Ive only generated EK traffic from one campaign or the other. Injected script from the pseudo-Darkleech campaign tends to prevent injected script by other campaigns from running.

Pseudo-Darkleech Neutrino EK infection

By July 2016, injected script from the pseudo-Darkleech campaign had changed patterns, and that pattern of injected script remains in use as of mid-August 2016. In today" />
Shown above: Traffic from the pseudo-Darkleech infection filtered in Wireshark.

For those unfamiliar with CrypMIC ransomware, its a new branch of the CryptXXX family first reported on 2016-07-06 [8]. At first, I continued calling it CryptXXX, despite some noticeable differences in post-infection activity. Others soon noticed this new branch was using a different versioning format than the original branch of CryptXXX [9]. By 2016-07-20, TrendLabs analyzed the new branch, dubbing it CrypMIC [10], and I" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: CrypMIC sends HTML-based decypt instructions.

in recent CrypMIC infections. Of note, I haven" />
Shown above: Desktop of the infected Windows host after rebooting.

EITest Rig EK infection

Injected script and traffic patterns from the EITest campaign have remained relatively consistent since Malwarebytes first identified this campaign in 2014 [12]. Back then the EITest campaign usually led to Angler EK. Weve seen it switch back and forth between Angler EK and Neutrino EK in 2015 and 2016. After Angler EK disappeared, the EITest campaign appears to have stuck with Neutrino EK until recently. Earlier this week, the EITest campaign led to Rig EK [2]. Today" />
Shown above: Traffic from the EITest infection filtered in Wireshark.

Reading the pcap with Snort 2.9.8.3 using the Snort subscriber ruleset, I saw alerts for the EITest gate and Rig EK." />
Shown above:" />
Shown above: Alerts from reading the pcap with snort (image 2 of 2).

ET Pro rulset, I saw alerts for Rig EK. Of note, Sundown EK has traffic patterns similar to Rig EK, so we see alerts for Sundown EK also in the list." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: Certificate data from the post-infection TLS traffic.

n setting itself up for persistence." />
Shown above: Registry key update and malware location.

Indicators of compromise (IOCs)

Pseudo-Darkleech Neutrino EK indicators:

  • 37.187.221.148 port 80 - fussabtr.gymeme.co.uk - Neutrino EK
  • 85.14.243.9 port 443 - CrypMIC post-infection traffic (custom encoded clear text)

SHA256 hash of CrypMIC payload (.dll file):

  • 03022e074c0b2a519f07bec3df48dbf15dcd0a3f3648c2a3cff463719a7dc4f3

EITest Rig EK indicators:

  • 85.93.0.13 port 80 - kydiris.xyz - EITest gate
  • 131.72.139.215 port 80 - i45h5.kinfacitontjo.top - Rig EK
  • 194.67.209.108 port 443 - ubmfotihexo.ru - post-infection HTTPS/TLS traffic
  • 217.29.58.167 port 443 - sgtxgkbi.ru - post-infection HTTPS/TLS traffic
  • 185.14.28.107 port 80 - attempted TCP connection, no response
  • 95.183.12.4 port 80 - attempted TCP connection, no response

SHA256 hash of possible Vawtrak variant payload (.exe file):

  • 506cb1459dd2fb79226dcb47811618b83e7bfaaff67eb1449f73eebdca9664da

NOTE: Keep in mind that IP addresses and domains for both Neutrino and Rig EKs are constantly changing. The IOCs will probably have changed by the time you read this.

Final words

As always, properly administered Windows hosts following best security practices (up-to-date applications, latest operating system patches, software restriction policies, etc) should not be infected when running across these campaigns.

Unfortunately, a large percentage of people dont follow best practices, and their computers remain at risk. Until this situation changes, actors distributing malware through EK-based campaigns remain a significant threat.

Pcap and malware for this diary are located here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://isc.sans.edu/forums/diary/Neutrino+EK+and+CryptXXX/21141/
[2] http://www.broadanalysis.com/2016/08/15/rig-exploit-kit-via-eitest-delivers-gootkit-banking-malware/
[3] http://www.malware-traffic-analysis.net/2016/08/16/index.html
[4] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
[5] https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
[6] https://isc.sans.edu/forums/diary/Whats+the+situation+this+week+for+Neutrino+and+Angler+EK/20101/
[7] https://isc.sans.edu/forums/diary/EITest+campaign+still+going+strong/21081/
[8] https://isc.sans.edu/forums/diary/CryptXXX+ransomware+updated/21229/
[9] https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxx-ransomware
[10] http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/
[11] http://malware-traffic-analysis.net/2016/07/25/index2.html
[12] https://blog.malwarebytes.com/threat-analysis/2014/10/exposing-the-flash-eitest-malware-campaign/
[13] https://threatpost.com/vawtrak-banking-trojan-adds-dga-ssl-pinning/119901/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: NIST)

Cisco Systems has confirmed that recently-leaked malware tied to the National Security Agency exploited a high-severity vulnerability that had gone undetected for years in every supported version of the company's Adaptive Security Appliance firewall.

The previously unknown flaw makes it possible for remote attackers who have already gained a foothold in a targeted network to gain full control over a firewall, Cisco warned in an advisory published Wednesday. The bug poses a significant risk because it allows attackers to monitor and control all data passing through a vulnerable network. To exploit the vulnerability, an attacker must control a computer already authorized to access the firewall or the firewall must have been misconfigured to omit this standard safeguard.

"It's still a critical vulnerability even though it requires access to the internal or management network, as once exploited it gives the attacker the opportunity to monitor all network traffic," Mustafa Al-Bassam, a security researcher, told Ars. "I wouldn't imagine it would be difficult for the NSA to get access to a device in a large company's internal network, especially if it was a datacenter."

Read 7 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco Security Advisory: Cisco Firepower Management Center Remote Command Execution Vulnerability
 
Cisco Security Advisory:Cisco Application Policy Infrastructure Controller Enterprise Module Remote Code Execution Vulnerability
 
Cisco Security Advisory: Cisco Firepower Management Center Privilege Escalation Vulnerability
 
Linux Kernel 'Ack Challenge' Information Disclosure Vulnerability
 
[SYSS-2016-067] NetIQ Access Manager (iManager) - Temporary Second Order Cross-Site Scripting (CWE-79)
 
Apache Tomcat CVE-2015-5346 Session Fixation Vulnerability
 
Apache Tomcat CVE-2015-5345 Directory Traversal Vulnerability
 
Internet Storm Center Infocon Status