Monday, September 29, 2014

Fiesta Exploit Kit: Live Infection

During our daily hunt for Exploit Kits (EK), we came across many live Fiesta exploit chains.
The infection started from the following compromised domains:

Compromised sites:

The attackers often leverage compromised sites to serve as the first level of redirection in the EK infection cycle. In the first Fiesta EK instance that we analyzed, the attacker after getting the root access has modified the “scripts.js” file present at location:
  •       hxxp://www[.]media[.]orpi[.]com/js/scripts.js
All the pages importing this JavaScript file will redirect the user to "nvplus[.]com/wp-content/".

Another variation of the initial loading page redirection was observed in the compromised site “interfacelift[.]com” at the following location:
  •       hxxp://interfacelift[.]com/wallpaper/downloads/date/any/   
In this case the attacker added a <script> tag with the location pointing to another redirection site at:
  •          hxxp://sunduk[.]biz/forum/docs/

A third variation of the initial redirection was observed on the compromised site
"soyentrepreneur[.]com", where the attacker created a new JavaScript file “funcionesCarga.js” at the following locations:
  •          hxxp://www[.]soyentrepreneur[.]com/assets/js/funcionesCarga.js
  •          hxxp://www[.]soyentrepreneur[.]com/assets/js/se2013/funcionesCarga.js
The website pages importing these JavaScript files will redirect the user to the Fiesta loading site.

All three initial redirection methods are fairly stealth and can remain unnoticed for days to the web administrators. We found this approach to be more effective and completely opposite from a RIG EK compromise that we recently analyzed where the attacker changed the home page of the website to ensure redirection. 

Fiesta EK:

Some of the recent live Fiesta EK loading sites found in the wild are:
  •        nvplus[.]com/wp-content/
  •        son-ko[.]com/scripts/bundles/login.php
  •        sunduk[.]biz/forum/docs/login.php
  •        toringaz[.]com/images/
  •        barferoase[.]de/blog/wp-content/themes/
  •        www.artlen[.]com/assets/cache/rss/
  •        www.courieru[.]com/cache/joomsef/
  •        www.roofstroy[.]com/stroy/js.php
  •        ticketstolisbon[.]com/dumper/
  •        talktyme[.]com/flash/
Apart from the usual EK redirection chain, it checks for the user's browser as well as presence of application plugins for Microsoft Silverlight and Adobe Flash.

It checks if Silverlight plugin is installed by creating the following ActiveXObject object:
  •  ActiveXObject("AgControl.AgControl") 
The presence of Flash plugin is ensured by creating the following object:
  • swfobject.embedSWF()
If both the above object creation functions generate an exception, then the exploit cycle terminates. But if the vulnerable versions are found, it takes the user to the EK landing page.

Redirection to Fiesta EK Landing page

Fiesta Landing Page:

Initially, the malicious Silverlight and Flash files are downloaded for which the plugin checks have already been performed.

AV detection for the downloaded malicious files:

  •       rtu.swf: 2/55 (Generic Exploit)
  •       rtp.xap: 2/54 (CVE-2013-0074)

Following this, the main controller of Fiesta EK is called. Example in one of the Fiesta EK instance we analyzed:
  •        hxxp://hjwqk.ianlar[.]in/pofrj4l/1
It generates the following GET requests to the same domain during the course of the Exploit cycle:

·         hxxp://hjwqk.ianlar[.]in/pofrj4l/321eabf3f523be344045575e50595404020b045e5500560806060006515a5e04;120000;0
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/6ea46961ad8578015717000f07020406075c540f025b060a0351505706010e06
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/7a77e441c530b7c15419520c540f06060658020c5156040a02550654550c0c06;1;2@@
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/1b88a025c530b7c1521a5d03500b0002005b0d035552020e0456095b51080a02;1;3@@
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/675e60f2d4cb58ae5c59595e070b5405070e005e025256090303040606085e05
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/2a78dd2dfa898b9d5b045b03555f0053035802035006025f0755065b545c0a53
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/33603690d9fdeed05f5a540b020d0b07020a030b0754090b06070753030e0107;900
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/2a7f53d52bfa0822410d415d040856020358025d0151540e07550605050b5c02;5061118
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/61295aeb0e3b886755415902045a575507080702010355590305035a05595d55;5;1
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/3bb805820e3b886750120903010e0a05025b5703045708090656535b000d0005;6;1
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/535c3355fb26fbd956435e5802080702040a00580751050e00070400030b5405;1;1

The Fiesta EK is performing the following exploitation attempts which are resulting in the multiple GET requests:

Adobe Flash
  • Checks if Adobe Flash is installed and gets the application version.
  • It then generates a GET request to fetch the run-time parameters for the previously downloaded SWF file "rtu.swf".
  •       A sample object of type “application/x-shockwave-flash” with dynamic run-time parameters to run the exploit payload is created as shown below:
“<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='FnkwX'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='wetsgk=MWYzH'/><param name='Play' value='0'/></object>"

Microsoft Silverlight 
  • Checks if Microsoft Silverlight is installed in browser and gets the application version.
  • It then generates a GET request to fetch the run-time parameters for the previously downloaded XAP file "rtp.xap".
  • A sample object of type "application/x-silverlight" with dynamic run-time parameters to run the exploit payload is created as shown below:
"<object data='data:application/x-silverlight-2,' type='application/x-silverlight-2' width=10 height=10><param name='source' value='LVSDE'/><param name='initParams' value=<LONG_STRING_VALUE></object>"

  • Check if Java plugin is installed and enabled in the browser.
  • Downloads a malicious Java archive (JAR) based on the installed version:
    • JAR File -> ianlar.jar: 4/55 (CVE-2012-1723)
  • It then generates a subsequent GET request to fetch parameter values required to execute the malicious JAR payload.
  • Creates a custom applet tag utilizing the run-time parameter values to run the exploit payload as seen below:

Adobe Reader
  •        Checks for the presence of the Adobe Reader plugin.
  •        Downloads and executes the malicious PDF file: 
    •        PDF File -> Ianlar.pdf: 8/55  


Upon successful exploitation, Fiesta EK was observed installing a new variant of Zemot Trojan from the following location:
  •       hxxp://warzine[.]su/b/shoe/54602
This is a well known Click-Fraud Botnet family which will soon start click-fraud activity on the victim machine, making money for the malware authors.

This Click-Fraud malware family appears to be connected to many other EKs in addition to Fiesta. Some of the domains involved in the Click-Fraud activity:

The above domains were resolving to the following two servers located in Russia and Ukraine respectively:
 A GET request to any of these domains look like this:

- Sameer Patil

Thursday, September 25, 2014

Shellshock attacks spotted in wild [Updated Sept 26]

[Updated Sept 26, 2014: added new analysis and exploit attempts]


GNU Bash is susceptible to an arbitrary code execution vulnerability (CVE-2014-6271) dubbed as Shellshock. The vulnerability is due to failure to properly handle environment variables.

A remote attacker can exploit this flaw by interacting with an application that uses BASH environment variables to override or bypass environment restrictions to execute shell commands. If an attacker can control the value of an environment variable, then code execution can be achieved in the context of the application using the environment variable.

A public advisory was released regarding this vulnerability here:

Shellshock Attacks - CVE-2014-6271

Within hours of the public disclosure of this vulnerability, we have started seeing incidents of attacks targeting this vulnerability in the wild to download additional malware. It appears that Nginx and Apache web servers configured to use mod_cgi are two potentially vulnerable services that are actively being targeted in the wild. One such incident that we were able to confirm through mining our logs is shown below:

The server involved in the above case was found to be compromised and hosting ELF binaries which belongs to the same Linux Backdoor Trojan family with DDoS capabilities. We believe that the vulnerable Apache servers were resulting in the download of an ELF binary named "apache" whereas vulnerable Nginx servers were getting the ELF binary named "nginx". The only difference we saw in these two binaries was the hardcoded Command and Control server information.

Upon successful exploitation of CVE-2014-6271 vulnerability, the attacker is able to download and install the malicious ELF binary on the target Linux system. The malware connects to a predetermined Command and Control (C2) server on a specific port and awaits further instructions from the attacker. The C2 information can be seen hardcoded in the binary:

The malicious ELF binary named "apache" is leading to a different C2 location "".

This malware family is capable of performing the following actions:
  • BusyBox command injection exploit attempts
  • Collect and send sensitive system information
  • Perform Denial of Service attacks
  • Brute force authentication attempt 
  • Opens a Backdoor connection for remote attacker
List of commands supported by this bot:

The screenshots below show sample command and control communication from this bot:
Initial call back message and command to get system IP address
Shell command & JUNK flooding attempt

Active Shellshock exploit attempts [Updated - September 26, 2014]

Below is a sample list of suspicious headers that we captured in past 12 hours attempting to exploit the Shellshock vulnerability (CVE-2014-6271). While majority of these appear to be testing attempts, some of them look malicious.

Check if your server is vulnerable:

It is extremely important for the system administrators to apply appropriate security patch depending on the Linux distribution they are running. Below is a code snippet posted by Redhat that you could use to determine whether your BASH version is vulnerable or not:

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"


We rate the severity of this vulnerability to be as critical as that of Heartbleed vulnerability discovered earlier this year. We are still investigating the level of impact associated with this threat.

Zscaler customers are protected from this threat and associated malware family. Zscaler ThreatLabZ is actively monitoring this threat and associated attacks in the wild.

Friday, September 19, 2014

Malvertising campaign leading to Zemot

Malvertising has become a serious problem for advertisers and their clients alike. Times of Israel has been affected already by such an attack. During our analysis, we discovered multiple other legitimate websites affected by the same malvertising campaign. We have informed the website owners to take action. Below is a brief timeline of attack.

A legitimate site leveraging zedo advertisements is the first victim in this attack.  The malicious redirect chain goes to zedo[.]com which will redirect the user to static[.]thebutton[.]com/d2.php?ds=true&dr=.  

The Malicious Redirect chain timeline.

The obfuscated url that is being hidden is static[.]the-button[.]com

The next link in the redirection chain goes to a Swedish site.

The redirect chain then leads the victim to inter[.]wiab-service[.]se/geobalancer/geo2.php?acc=[xyz]
&nrk=.  This is the final redirect that takes the user to [xyz][.]uni[.]me/ site where the Exploit Kit (EK) and eventually payload are sent to the victim.

The Obfuscation here is the final link to the Nuclear Exploit Kit.

Part 1: Nuclear Exploit Kit
Part 2: Nuclear Exploit Kit
The whole purpose of this broad attack is to download the final payload which happens to be a variant of Zemot. It gets downloaded via a Kuluoz variant which has been tied to Zemot click fraud activity in the recent days.

Kuluoz/Zemot infection phone home activity.
If you are unfortunate to have visited one of the many sites which have been compromised by this threat, one strong indicator of infection will be the existence of a batch file which matches the below format:


This malvertising campaign has been highly effective thus far and no site, despite its good intentions, appears to be given any quarter.

Zscaler is actively monitoring this threat and notifying any sites of compromise.

Thursday, September 18, 2014

Nuclear exploit kit - complete infection cycle

Zscaler ThreatLabZ has been seeing a steady increase in the Nuclear Exploit Kit (EK) traffic over the past few weeks. The detection of malicious activity performed by this EK remains low, due to usage of dynamic content and heavy obfuscation. In this blog, we will walk you through a complete Nuclear EK infection cycle with a live example. We will also share details of the identified payload, which had very low Anti-Virus (AV) detection rates.

The infection cycle begins with an unsuspecting user visiting a legitimate site that was compromised by the attackers. The compromised site in the example covered in this blog is www[.]cornwallmusiceducationhub[.]org that further redirects the victim to the Exploit Kit hosting server []. Nuclear EK is notorious for exploiting most popular browser plugins.

The following screenshot shows the malicious iframe injected on the compromised website.
Malicious iframe in compromised domain

The malicious iframe leads the users to a loading site, which in this case performs a second level redirection as shown below, eventually leading the victim to the Nuclear EK's landing page.
Redirecting to the Nuclear EK landing page

Redirection Chain observed in our example:
Compromised site : www[.]cornwallmusiceducationhub[.]org/tag/heartlands-pool/
Second level redirection site: fluersutel[.]tecnopes[.]com[.]ar/miksopulp16[.]html
EK Landing site: actudismatik[.]e-xms[.]com[.]ar/2150b060shv/1/9ffbf35e4190fbba62f70c8477fa3964[.]html
Redirection Chain

The Exploit kit landing page is heavily obfuscated to evade detection by AV and Intrusion Prevention Systems as seen below:
Landing Page

Now we will step through the complete dobfuscation of the landing page that was captured in above example. We leveraged the open source JavaScript beautifier to structure the landing page JavaScript code. Upon structuring the code, we determined that there were 51 unused variable declarations to confuse the researchers.

Going further, we observed that the following three functions VV8Y6W,wL3, and Fp4Ovo were responsible for the dynamic de-obfuscation of the EK landing page code. We have noted the action performed by each function in the following screenshot.

The following routine leverages the aforementioned functions to generate a key PluginDetect (V 0.8.8) script which we will discuss later. 

Upon successful execution of the above code, the variable KKa will store the PluginDetect script. The following code will execute the script.


This script is derived from the well-known JavaScript library PluginDetect. This library is used by the exploit kit authors to do a detailed reconnaissance of victim's browser plugins. We will walk you through various actions performed by this script before executing the exploit payload.

First the detectPlatform function will check for the operating system running on the victim machine:

Subsequently, the script will also check the version of well-known browser plugins, which includes Java, Adobe Reader, Adobe Flash, and Silverlight. 

It then leverages the XML DOM information leakage vulnerability to enumerate through the system driver files residing in the C:\Windows\System32\drivers\ directory. If it finds any AV driver files, the script will terminate the infection cycle.

Next, the script will check for the vulnerable versions of the loaded plugins and accordingly run the identified application exploit function.

The following screenshot shows the application specific exploit functions:

Below are the exploit payloads that were getting served if the related application plugin version was found to be vulnerable by the Nuclear EK instance that we analyzed. AV detection for the payloads delivered by this variant remained poor at the time of blog publication.

Silverlight Exploit:
MD5: 94ef35e1ecf0a486ab790957ad794a85
Size: 9139
VT: 2/55

Flash Exploit:
MD5: da5d57c700ebec211a6a57166700e796
Size: 5832
VT: 1/55

PDF Exploit:
MD5: 3676bf357f0678a609df6831b7a870a0
Size: 9769
VT: 1/54

If the exploit attempt is successful, then the EK code will silently download and install the following malware payload on the victim machine.



Monday, September 8, 2014

RIG EK outbreak continues

During daily data mining activities, we observe continual outbreaks of many exploit kits (EK) such as RIG EK. Logs are monitored and analyzed to come up with new protections, which are eventually deployed in the Zscaler cloud. The dynamic nature of EK’s landing page code, presents a constant challenge in providing generic detections. We need to take a look at various aspects of EK’s such as URLs/Domains/IP’s to come up with a generic detection guidance. In this regard, log analysis plays an important role. 

In this blog we'll take a look logs from  last week (8/28/2014 - 9/5/2014), observed for RIG EK.

RIG EK Traffic (%)
The above chart illustrates the traffic trend of RIG EK over the past week. There was a significant spike noted on Sept. 4th. 

Sept 4th Domains/IP:

Domains IP
eir.alexandrajarup[.]com 194.58.101[.]24
eir.alexandrajarup[.]com 194.58.101[.]24
uiue.nuiausqas[.]com 194.58.101[.]24
iow.alanmccaig[.]com 191.101.14[.]125
ods.alankellygang[.]com 191.101.14[.]125
uew.alankellygang[.]com 191.101.14[.]125
soi.alankellygang[.]com 191.101.14[.]125
eur.alankellygang[.]com 191.101.14[.]125
sod.alankellygang[.]com 191.101.14[.]125
soa.alankellygang[.]com 191.101.14[.]125
lol.alankellygang[.]com 191.101.14[.]125

Sept 4th EK URLs:

Sept 4th common URL pattern:


RIG EK landing page content:

RIG EK Landing Page
Code analysis of the landing page shown above is not discussed here. For a full code analysis, please take a look at our blog post from last month. In that blog, we tried to come up with a generic de-obfuscation technique that helps to de-obfuscate the EKs such as RIG and Fiesta.

Let's now take look at the overall traffic distribution by IP for the last week (8/28/2014 - 9/5/2014).

Traffic distribution by EK IP's
Traffic was observed from 13 unique IP addresses. IP '191.101.14[.]125', was seen to be spreading the EK's in large volumes. We also observed many IP addresses falling into three subnets.


We recommend blocking the aforementioned IP's. Subnet level blocks can also be used but we have to be bit cautious when doing so as legitimate sites may also be hosted in the same range.

The following world map illustrates the geographical distribution of the EK IP's which have been observed. As noted, most activity is emanating from Russia. 

Geo-graphical distribution by EK IP's
No geo-location information was available for IP's falling into '191.101.XX.XX' subnet.

Below is the full list of domains and IP's seen for the previous week.

Domains IP
tue.allthatsin[.]com 178.132.203[.]113
qie.allthatsin[.]com 178.132.203[.]113
dfu.aloliskincare[.]com 194.58.101[.]38
uer.alistairnunes[.]com 194.58.101[.]31
eir.alexandrajarup[.]com 194.58.101[.]24
oweuryt.account-ltunes[.]com 191.101.13[.]139
teyruyt.a[.]commodationinsauze[.]com 191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com 191.101.13[.]139
owiery.wikusbotha[.]com 191.101.13[.]140
nuaysuq.planeimpressions[.]com 5.31.72[.]115[.]com 5.31.72[.]115[.]com 5.31.72[.]115
oweiru.laughterisgoodmedicine[.]com 5.31.72[.]115
woiero.laughterisgoodmedicine[.]com 5.31.72[.]115
aosidoa.kensymicek[.]com 191.101.13[.]202
sdfusug.kensymicek[.]com 191.101.13[.]202
qwieuu.kensymicek[.]com 191.101.13[.]202
iuasid.kensymicek[.]com 191.101.13[.]202
odigoud.helny[.]com 191.101.13[.]202
qoiweur.helny[.]com 191.101.13[.]202
miiuis.helny[.]com 191.101.13[.]202
oeriouh.francisssmith[.]com 191.101.13[.]202
dciugi.francisssmith[.]com 191.101.13[.]202
gdofigu.forgottenapples[.]com 191.101.13[.]201
miqwue.boxsteravatar[.]com 191.101.13[.]200
popoqwe.dukeanddiva[.]com 191.101.13[.]201
mbivuc.click2maps[.]com 191.101.13[.]201
oiqwour.click2maps[.]com 191.101.13[.]201
mbivuc.click2maps[.]com 191.101.13[.]201
oiqwour.click2maps[.]com 191.101.13[.]201
oiaosdu.bluffswebdesign[.]com 191.101.13[.]201
dwieru.bluffswebdesign[.]com 191.101.13[.]201
nuasiud.amiramatthews[.]com 191.101.13[.]200
miuggid.748tmp[.]com 191.101.13[.]200
owierowu.748tmp[.]com 191.101.13[.]200
eoitoe.boxsteravatar[.]com 191.101.13[.]200
miqwue.boxsteravatar[.]com 191.101.13[.]200
wueriq.boxsteravatar[.]com 191.101.13[.]200
naduq.00tim[.]com 191.101.13[.]198[.]uk 191.101.13[.]198
qiuwer.121sky[.]com 191.101.13[.]198[.]uk 191.101.13[.]196[.]uk 191.101.13[.]196
eir.alexandrajarup[.]com 194.58.101[.]24
uiue.nuiausqas[.]com 194.58.101[.]24
iow.alanmccaig[.]com 191.101.14[.]125
ods.alankellygang[.]com 191.101.14[.]125
uew.alankellygang[.]com 191.101.14[.]125
soi.alankellygang[.]com 191.101.14[.]125
eur.alankellygang[.]com 191.101.14[.]125
sod.alankellygang[.]com 191.101.14[.]125
soa.alankellygang[.]com 191.101.14[.]125
lol.alankellygang[.]com 191.101.14[.]125
kick.alankellygang[.]com 191.101.14[.]125
sdifu.alanhalldriving[.]com 191.101.14[.]125
pqqie.alanhalldriving[.]com 191.101.14[.]125
weoriuwyt.alanhalldriving[.]com 191.101.14[.]125
oigydfg.alanhalldriving[.]com 191.101.14[.]125
oiweyr.alanhalldriving[.]com 191.101.14[.]125
fgydy.ajrobertsconsulting[.]com 191.101.14[.]125
husaus.ajrobertsconsulting[.]com 191.101.14[.]125
super.affogatomoments[.]com 191.101.13[.]139
iuweryw.activity-partners[.]com 191.101.13[.]139
weorioi.a[.]commodationinsauze[.]com 191.101.13[.]139
owiery.wikusbotha[.]com 191.101.13[.]140
oiqwour.click2maps[.]com 191.101.13[.]201
oiaosdu.bluffswebdesign[.]com 191.101.13[.]201
dwieru.bluffswebdesign[.]com 191.101.13[.]201
owierowu.748tmp[.]com 191.101.13[.]200
eoitoe.boxsteravatar[.]com 191.101.13[.]200
miqwue.boxsteravatar[.]com 191.101.13[.]200
qiuwer.121sky[.]com 191.101.13[.]198

The above trend shows a continuous outbreak of RIG EK in the wild. Data mining logs for such activity provides us with a sense of the trends being followed by the attackers. We will keep on sharing such information via blogs/scrapbook posts. 

Stay tuned!