IncidentActivityReport

Date:20170601
Analyst:0x776b7364

EXECUTIVESUMMARY
On8December201423:18GMT,auseronthehost38NTRGDFQKRPC(192.168.204.137)accessed
www.excelforum.comviaaGooglesearch.Thispreviouslycompromisedwebsitecontaineda
maliciousscriptfilewhichcausedtheusersbrowsertoberedirectedtootherwebsitescontaining
maliciousactivecontentsuchasJavaandFlashfiles.Existingbrowserbasedvulnerabilitiespresenton
thehostcomputerenabledthewebsitetodownloadandexecuteprogramsonthecomputer.Thewhole
intrusionandinfectionsequencetookabouttwominutestocomplete.Basedontheprovidednetwork
trafficfile,privateorcompanyinformationcouldpotentiallyhavebeenexfiltrated.
Theorganisationshould:
Considerencouragingorforcinguserstousealternativebrowsers
Encourageuserstoinstallbrowseraddons/extensionssuchasNoScripttoprevent
potentiallymaliciousscriptsfromloadingautomatically
Ensurethatendpointprotectionsoftware(suchasantivirus)isinstalledanduptodate
ImplementapplicationwhitelistingonWindowsworkstations
Considerimplementingareverseproxyfilteringsolution(suchasF5orBlueCoat).
TECHNICALANALYSIS
TheNetworkMinertoolwasfirstusedtogetanoverallpictureofthecontentswithintheincludedpcap
file.FromNetworkMiner,Iobtainedthefollowinginformation:
Alargemajorityofthesessionsoriginatedfromthehost192.168.204.137.ThisWindowshost
hadthecorrespondinghostname38NTRGDFQKRPCandMACaddressof
00:0C:29:9D:B8:6D.
LateranalysiswoulddemonstratethatthishostisthehostaffectedbythemaliciousJavaScript
files.
TheParameterstabindicatedthattheuseragentparametervaluesforthehost
192.168.204.137islargelyMozilla/4.0(compatible;MSIE8.0;WindowsNT6.1;.This
indicatesthattheuserisusingtheIE8.0browseronWindows7toaccessthesites.Afurther
useragentwasobserved:Mozilla/4.0(Windows76.1)Java/1.6.0_25".Lateranalysiswould
showthatthisuseragentbelongedtothemalwarereachingouttomaliciousserversto
downloadbinarypayloads.
Wiresharkwasthenusedtoopenthepcapfileforanalysis.Thefollowingdisplayfilterwasusedto
isolateHTTPtrafficrelatedtotheaffectedhost:
(ip.src_host == 192.168.204.127 || ip.dst_host == 192.168.204.137) && http
Fromthedisplayfilterresults,Iconcludedthattheaffecteduserfirstenteredthesearchterm
http://www.excelforum.comintoGoogle[frame8],andthenclickedontheresultwhichredirected
himtothewebsitehttp://www.excelforum.com(69.167.155.134:80)[frame22].BasedontheDate
HTTPparameterintheHTTPresponse[frame309],thedateandtimeinwhichthiseventoccurredis8
December201423:18:42GMT.Thewebsiteincludeda<script>tagonline127whichhastheURL:
http://magggnitia.com/?
Q2WP=p4VpeSdhe5ba&nw3=9n6MZfU9I_1Ydl8y&9M5to=_8w6t8o4W_abrev&GgiMa=8Hfr8Tlcgk
d0sfV&t6Mry=I6n2
ThiscausestheaffectedusersbrowsertoperformaHTTPGETrequesttohttp://magggnitia.com
(94.242.216.69:80)[frame94].TheHTTPresponsewasaJavaScriptfilewhichcausedaredirecttothe
domaindigiwebname.in(205.234.186.111:80).ThisJavaScriptfilethoughobfuscatedhadthe
gNUmtrTcEFparametervalueofhttp://digiwebname.in/6ktpi5xo/PoHWLGZwrjXeGDG3P-I5.
ThepcapfilesupportedthehypothesisthattheusergotredirectedtothatURL[frame1300].This
eventoccurredon8December201423:20:09GMT.
TheresponseoftheHTTPrequesttothedigiwebname.indomainwasaHTMLfilecontaininganother
setofobfuscatedJavaScriptcode[frame1340].TheobfuscatedJavaScriptcodewasisolatedand
copiedtoaRemnuxinstallationforfurtheranalysis.AfterpatchingtheJavaScriptcode,andusing
RhinodebuggerandGoogleChromev8fordebuggingandanalysis,IdeterminedthatthisJavaScript
codeprofiledthebrowseranditsplugins,andthenusedtheresultstomakeHTTPGETrequeststo
downloadfurtherpayloads.TherelevantsubsequentHTTPGETrequestsanditscorrespondingframe
numbersareasfollows:
http://digiwebname.in/6ktpi5xo/3830948c194842760701040b0b0f095a010b000b0d5608
58060c0b060a060a5a;118800;94[frames1347and1360]

http://digiwebname.in/6ktpi5xo/7d0d7c94be7afa7a5b0d525f0558080d0557035f030109
0f0250085204510b0d;910[frames1414and1435]

http://digiwebname.in/6ktpi5xo/39e112e34c7d1c884055130a0309540a010a560a055055
08060d5d070200570a;4060531[frames1418and1444]

http://digiwebname.in/6ktpi5xo/55fdd7ebca026cab5447075f560c545b0706555f505555
5900015e525705575b[frames1977and1986]

TheseencryptedpayloadswereextractedtotheexaminingsystemusingWiresharksExportObjects
(HTTP)feature.ThefollowinglistisamappingfromURLtofilenametoSHA1hashofthepayloads:
http://digiwebname.in/6ktpi5xo/3830948c194842760701040b0b0f095a010b000b0d560858060
c0b060a060a5a;118800;94>hyepksam259.swf>
4e8bdc5611f8ef8e6473bd38cc625341832b7d3
http://digiwebname.in/6ktpi5xo/7d0d7c94be7afa7a5b0d525f0558080d0557035f0301090f02500
85204510b0d;910>buvyoem41.pdf>15add2fdcd6f4ee6a16ae2c8557aaba8bf2943d3
http://digiwebname.in/6ktpi5xo/39e112e34c7d1c884055130a0309540a010a560a05505508060d
5d070200570a;4060531>dszohrfb90.xap>90208b3c149a01de487a64f469042326050da3d0
http://digiwebname.in/6ktpi5xo/55fdd7ebca026cab5447075f560c545b0706555f505555590001
5e525705575b>syvwkahx581.jar>59c07162d0c10658eec2298f19febfcb8275b25d
TheSHA1hasheswasusedasasearchtermwithinVirusTotaltoconfirmthatallofthepayloadsare
malicious,andthattheyarerecognizedbymostantivirusvendors.TheVirusTotalanalysisfurther
identifiesthattheSWFandJARpayloadsexploitCVE20140569andCVE20120507respectively.
AsearchofthesetwoexploitsrevealsthatbothofthemareusedintheRIGandFiestaexploitkits
(EKs).AblogpostbyContextInformationSecurity[1]confirmsthatthepcapfilecapturedaFiesta
EKincidentduetotheuniquewayinwhichthemaliciousURLsweregeneratedandtheJavaScript
codewasobfuscated.
ThefilesreferencedaboveexploitedvulnerabilitiesinbrowserpluginssuchasAdobeFlash,Adobe
PDF,MicrosoftSilverlight,andJava.Someorallofthepluginswereexploitedtofurtherdownload
maliciousencryptedpayloadsinframes1596,1757,1961,2139,and2291(theseareshownashaving
theMIMEtypeapplication/octetstream).
IusedascriptprovidedbyContextInformationSecurity[2]todecodethesecondsetofobfuscated
JavaScriptcode,andobtainedthefollowingURLswhichwerenotpresentinthepcapfile:
 http://digiwebname.in/6ktpi5xo/228759d200ad45b60a060c0c0702550b00010b0c015b54
0907060001060b560b(incompatibleFlashversion)

http://digiwebname.in/6ktpi5xo/69266c7425df8059030f0b0d0458060d040a010d020107
0f030d0a000551050d(incompatibleFlashversion)

http://digiwebname.in/6ktpi5xo/1b9a9eecb34c4c045b0c555a0b5e545a03510a5a0d0755
58045601570a57575a(missingorincompatibleJavaFX)

Presumably,theJavaScriptfiledeterminedthatcertainexploitsdonotmatchcertaininstalledbrowser
pluginsduetomissingorincompatibleversions,andhencethedownloadsforthesefilesarenot
triggered.Infutureincidents,suchURLsshouldbeaccessedbyasacrificialVirtualMachine(VM)
overadedicatedconnectioninordertoaccuratelyassesstheimpactofsuchmalwareonthe
organisationsenvironment.
Eachofthefileformatexploits(swf/pdf/xap/jar)droppedanencryptedbinaryontothelocalfilesystem.
Ascriptbyuser0x3a[3]wasusedtodecrypttheencryptedbinaries,andallthedecryptedbinaries
resultedinthesameSHA1hashofdc54148d7b01c4ef6fe0bb9f74cce09a4ff83809.TheVirusTotaland
MalwranalysisofthisbinaryconfirmedthatthisisaPEexecutablemalware.Inaddition,theMalwr
page[4]indicatedthatanoutgoingconnectiontothehost209.239.112.229:80wasobserved.This
correspondstoframes1792and1799inthepcapfile,anditislikelythatthemalwarehasexecutedand
isphoninghomeorexfiltratinginformation.Iwasunsuccessfulindeterminingtheplaintextfromthe
base64encodedPOSTrequest;furtheranalysisonthebinaryusingadebuggersuchasIDAProis
recommended.
RECOMMENDEDCLEANUPANDMITIGATIONSTRATEGIES
Thefollowingstepsshouldbeundertakenimmediately:
Theaffectedsystemshouldberemovedfromthenetwork,andacomprehensiveforensicsand
datarecoveryexercise(ifrequired)shouldbeperformed
TheOperatingSystemshouldbewiped,andifthemalwareinfectionissevere,thesystem
shouldbedecommissioned
Themaliciousbinaryfilesshouldbeblacklistedinthecentralizedantivirusconsole,andquick
scansusingtheupdatedsignaturesshouldbeperformedagainstsensitivesystems
NetworkandwebsitefiltersshouldbesettorestrictaccesstotheaffectedwebsitesandIP
addresses.
Thefollowingstepsshouldbeconsideredandundertakenintheshortterm:
DeployalternativebrowserssuchasMozillaFirefoxandGoogleChrometousers
Browseraddons/extensionswhichdisableautomaticloadingofscriptsandpluginsshouldbe
used
TheStandardOperatingEnvironment(SOE)shouldbereviewedandunnecessarysoftware
(suchasFlashorJava)shouldberemovedunlessrequiredforoperations.
Thefollowingstepsshouldbeconsideredandundertakeninthelongterm:
Windowsworkstationsshouldhaveapplicationwhitelistingenabled(suchasviaAppLocker)
Areverseproxyfilteringsolutionshouldbeimplementedtocheckthetargetwebsites
reputationandpresenceofmalwarethroughanalysisorblacklists.
REFERENCES
Thefollowingtoolswereusedinthegenerationofthisreport:
 Wireshark,NetworkMiner,Unixfile,Remnux,GoogleChromev8,Rhinodebugger
Thefollowinglinkswerereferencedand/orusedinthegenerationofthisreport:
[1]:https://www.contextis.com/resources/blog/fiestaexploitkitanalysis/
[2]:https://www.contextis.com/documents/34/Fiesta_Decoder.zip
[3]:https://raw.githubusercontent.com/0x3a/tools/master/fiestapayloaddecrypter.py
[4]:
https://malwr.com/analysis/MmNiMTdhZTFhMGRmNDAwZjg2ZDhhMDZjODFjMGY3NjI/