Hackin9

This is a guest diary submitted by Brad Duncan.

For the past year or so, Ive noticed a particular group using a gate that redirects to an exploit kit (EK), usually Fiesta. This gate has evolved over the past year, changing IP addresses, domain names, and URL patterns. Currently, this gate is using 94.242.216.69 as its IP address.

I infected a VM on 2014-12-24 using the original referer from an example I found after searching for 94.242.216.69 in my organizations web traffic logs. The image below shows the gate on 94.242.216.69 and Fiesta EK on 205.234.186.111.

Shown above: Wireshark display for the Fiesta EK infection using this gate.

Monitoring the infection traffic with Security Onion shows the appropriate Snort signatures for Fiesta EK:

Shown above: Snort events from Security Onion using the ET open signature set.

Lets examine how the gate points to Fiesta EK. Earlier this year, the gate used a fairly straightforward iframe. Heres an example from April 2014:

Shown above: Gate to Fiesta EK from April 2014.

The current gate has a much longer javascript, and the URL for Fiesta EK is slightly obfuscated. Heres the example from 2014-12-24:

Search your web traffic logs for 94.242.216.69, and youll likely find several different domain names using a specific pattern for the gate. Heres a sample of what I found for 94.242.216.69 from 2014-12-10 through 2014-12-23:

  • alpinias.com - GET /?_SPMq=vahK1gfvq3z1_Aj=fW8sL8ldnkPgy=81S8Y0_0Us9=dr_fSq3Jaiw7Eaf=fu5dv5wDK9=Ydqk1z4o652YRK=eHl9jdJ8jI86__=He0S4m9GQPy3i=J4HP58S7hdRPS8=7bi7Y
  • astroysch.com - GET /?LDZhT=Kegl8uezbqbx6n_Nk98=Pa59bTd3_Jp3B=k9hKcTeG_eS30mwpoA=k3OmaPs700bKE03=6800L6Kf_S_Z2l=z1Hge2_s2R0M0M
  • avtrokosmo.com - GET /?eg4yxQ=49eU6k7bIcPB5=ei8YapbIdQubUz3qMUy=w8H4iaz2Q1sePdZV4Zg=1hcfLh96u07x
  • bendjoblac.com - GET /?L_T=XfmqeN3LeQ97Wbwa7G6UOJgt=M1q6pbX2Xe_I8eK2n7aUsdm_v=MerQ5S5q6R9taM0IaIyfL3HSLF=5c
  • enotikkiki.com - GET /?tBbJ=286uU9rtikG=zaoY7Q_0KT8F0BREM=_4S3n0w9a2NE=9_d2Kz6ptmh=f87qmaaOc=2UQ5L1U1gWEfu6e=kcn_61M1srqR=R2s_9S9dGMvn=7b
  • kattyjerem.com - GET /?jtDO_=6pcoex6X_9I1TK9qJckr1Go9t3UL0sdQ_5LCsM=W3WO4NcvQ4M2tifG8ll9GXdxcgG0Q8Iz8Zn7M
  • hillarysday.com - GET /?m9SO_=y2Nbh6pd_0j9Mw84xF=6h1WubuKajeV4KebW6dQc=w6UcT2aK1f2Tmj7=b_0u9j7Za_aV0vUhf=ma
  • magggnitia.com - GET /?3W_wN=I40_W5_eht=t8vP8M8L2ad_uO=33KPa_s3oi=8P5_7QLfo=cHai8wZM7P_K=bSG7TH3pUKb38=1s4wx2sjSJyB=cM7c
  • magicalcepp.com - GET /?sk9=7ufJ8Ky7H8nS34n7f1h8t887R49eDf=1foPbZaw1VcxcHlfJdVw83P69hP1uSdYbR
  • magnitigus.com - GET /?V7k2sF=sbLLbi2fp9p073kddzfGanaT5K1cGqdUQG=tc8Z8G0kav2v7QY5gf3I2Z8y5_V0v3dJ0P
  • margartata.com - GET /?Cid=nak4G9zUkE3K=3i6iq9dUjM6_=Xe0seJ_X_g=R4taaJr4YHO=q9HQ34Px1_=3gaZ4HDVhN=v4v326t_=bu_1OX3OkFP=7y_5rv7
  • martinegris.com - GET /?m_FxE=eh0MkFq=H8GeSfz7=1l3d2T6r=aeLeH_9=k0Il2WZ7i6=3S17h_=SdlczmGAU=i0ufmMwf=ehp5pymV7T=y7lKeJpk_DF=_5_2
  • muertiose.com - GET /?_I4XS=idKbueq4kR1q80TsZ=Y0Wn7Lbr6K9hchthXvW=56WPaqG2OdJ0Ff_lty=x21dbrs8y5
  • throneonetwo.com - GET /?rQRqX=aj2us3_9Z4dBzt=h4uKf3l7eVSIDj=5rd_7zcN0g2Btxc=aief3k7oGC=X6g62bgw9hNUZHg=_5Q4scVc
  • treestois.com - GET /?Zd_E=Zd_0Q9_5SZbUU32Z4m4bOchhflz2g5n1h7_b6XgctsIVh=M8gcrO2yw78886tz8Zf6Ycba_cRd0o1Vk1
  • velasvegas.com - GET /?e2_Iq=652WNczup=V1Z7I2wR9m5_zQ=k3YT7O4H3_Dy2bH=t9nsbcbmGm2J_=1Kf_Ib0gq_BF=98m6

All the above domains are registered to same organization:

Registrant name/organization: Wuxi Yilian LLC

Registrant country: China

Registrar: www.bizcn.com

alpinias.com - date registered: 2014-08-29

astroysch.com - date registered: 2014-10-27

avtrokosmo.com - date registered: 2014-12-01

bendjoblac.com - date registered: 2014-11-12

enotikkiki.com - date registered: 2014-10-21

kattyjerem.com - date registered: 2014-11-12

hillarysday.com - date registered: 2014-09-18

magggnitia.com - date registered: 2014-12-01

magicalcepp.com - date registered: 2014-09-18

magnitigus.com - date registered: 2014-12-01

margartata.com - date registered: 2014-12-01

martinegris.com - date registered: 2014-10-21

muertiose.com - date registered: 2014-10-03

throneonetwo.com - date registered: 2014-10-27

treestois.com - date registered: 2014-12-01

velasvegas.com - date registered: 2014-11-12

Each of the domains on 94.242.216.69 is tied to a particular compromised website. If you have access to the web traffic and the HTTP headers, its easy to find the compromised website. Just look for the referer in the HTTP GET request on 94.242.216.69.

The group behind these domains has used at least 4 different IP addresses during the past year. It will likely change again. Wuxi Yilian LLC is the registrant for all the domains Ive found for this redirect in 2014.

I look forward to seeing what this group does in 2015.

----------

Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
 
LinuxSecurity.com: A buffer overflow vulnerability in FLAC could lead to execution of arbitrary code or Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenSSL, the worst of which could result in Denial of Service or Man-in-the-Middle attacks.
 
LinuxSecurity.com: Two vulnerabilities have been found in Icecast, possibly resulting in privilege escalation or disclosure of information.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in QEMU, the worst of which could result in execution of arbitrary code or Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in libvirt, worst of which allows context-dependent attackers to cause Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in RSYSLOG, allowing attackers to cause Denial of Service.
 
LinuxSecurity.com: Multiple vulnerabilities have been found in NTP, the worst of which could result in remote execution of arbitrary code.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
Internet Storm Center Infocon Status