{"id":7313,"date":"2017-04-11T14:10:32","date_gmt":"2017-04-11T22:10:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/11\/news-1104\/"},"modified":"2017-04-11T14:10:32","modified_gmt":"2017-04-11T22:10:32","slug":"news-1104","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/04\/11\/news-1104\/","title":{"rendered":"Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 11 Apr 2017 21:12:19 +0000<\/strong><\/p>\n

Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of\u00a0a surprise at\u00a0the end of March (Threat Spotlight: Sundown Matures<\/a>), but any doubts were squashed by this tweet\u00a0on April 8th\u00a0(Sundown (Beps) and Nebula out ? More than one month since last hits<\/span><\/a>).<\/p>\n

Also, whatever happened to Bizarro and Greenflash\u00a0Sundown EKs<\/a>? Whether this is a temporary break\u00a0or yet another dead EK, time will tell.<\/p>\n

In the meantime, there has been much noise and some activity from an exploit kit\u00a0that appeared late last year and which we wrote about<\/a> in early January. Because of similarities with Sundown EK, we initially thought that it was simply a new variant but it was actually from a different actor and called Terror EK by Spider Labs<\/a>.<\/p>\n

In this post Angler era, we have been accustomed to one hit wonders or bogus kits stolen and repackaged for sale under a different name. Simon Kenin over at Trustwave tracked and exposed<\/a> the activities of \u00a0the author of the Terror EK, going by the handle @666_KingCobra, in various underground forums. To make matters more complicated, there is a thing right now with rebranding and Terror EK has been known to be called Blaze<\/a>, Neptune<\/a>, or even\u00a0Eris<\/a>.<\/p>\n

With all this noise, it’s usually a good idea to look at what is actively being seen\u00a0in the wild versus what may be advertised here and there. Once we see an exploit kit in various distribution campaigns we know\u00a0it is at least worth looking at.<\/p>\n

Malvertising campaigns<\/h3>\n

We have been monitoring this particular campaign for some time and this is the instance of Terror EK most known about. Various ad networks (low quality traffic) are pushing this at the moment.<\/p>\n

\"\"<\/a><\/p>\n

Main landing page:<\/strong><\/h4>\n

\"\"<\/a><\/p>\n

IE exploits:<\/strong><\/h4>\n

\"\"<\/a><\/p>\n

Call to Flash exploits:<\/strong><\/h4>\n

\"\"<\/a><\/p>\n

Call to Silverlight exploit:<\/strong><\/h4>\n

\"\"<\/a><\/p>\n

Malware payload: Smoke Loader<\/em><\/p>\n

Compromised sites campaign<\/h3>\n

This is a newer campaign we started to notice\u00a0just a few days ago with the landing and payloads slightly different.<\/p>\n

\"\"<\/a><\/p>\n

Redirection to EK:<\/strong><\/h4>\n

The compromised websites\u00a0are leveraged to redirect to the exploit kit landing page in two different ways (but both are implemented). The first is the server 302 redirect call:<\/p>\n

\"\"<\/a><\/p>\n

But there is also another one done via\u00a0script injection:<\/p>\n

\"\"<\/a><\/p>\n

We\u00a0see\u00a0both of them in use, but each pushes their own flavour of Terror EK (classic one shown above via malvertising or the newer one). For example, the redir via script injection loads uploadrobot.download which in turn calls the ‘classic’ Terror landing:<\/p>\n

\"\"<\/a><\/p>\n

Landing page:<\/strong><\/h4>\n

This one stuffs everything into the landing page (rather than via multiple sessions). No lorem ipsum here, but some pretty lengthy text which precedes the various calls for exploits.<\/p>\n

\"\"<\/a><\/p>\n

IE exploits:<\/strong><\/h4>\n

\"\"<\/a><\/p>\n

Flash exploits:<\/strong><\/h4>\n

\"\"<\/a><\/p>\n

Payload deployment (remember ‘Sub fire()<\/a>‘?)<\/p>\n

\"\"<\/a><\/p>\n

Malware payload: Andromeda<\/em><\/p>\n

More copycats on the horizon<\/h3>\n

Sundown EK was notorious for stealing\u00a0exploits from others and the tradition continues with more copy\/paste from the ashes of dead exploit kits. If this harvesting was\u00a0done on higher grade EKs, we would have a more potent threat but this isn’t the case here.<\/p>\n

If it weren’t for active distribution campaigns, there would be very little to write about those numerous variants until they brought in something more serious to the table.<\/p>\n

Malwarebytes users are protected against this exploit kit and its payloads.<\/p>\n

IOCs:<\/h3>\n

Gates:<\/p>\n

http:\/\/sweetwine.club  http:\/\/uploadrobot.download\/frame.php<\/pre>\n
Classic Terror EK patterns:<\/p>\n
http:\/\/46.101.101.142\/e71cac9dd645d92189c49e2b30ec627a\/5f9987ccc0625389623525a46116f048  http:\/\/46.101.101.142\/5f9987ccc0625389623525a46116f048\/795819\/58e9d4f033acc  http:\/\/46.101.101.142\/5f9987ccc0625389623525a46116f048\/a39401275d1b300aa789fb22aea4148a  http:\/\/46.101.101.142\/5f9987ccc0625389623525a46116f048\/9526e055c9757becf45c5190facfd9f2  http:\/\/46.101.101.142\/5f9987ccc0625389623525a46116f048\/oiuhygnjda.swf  http:\/\/46.101.101.142\/5f9987ccc0625389623525a46116f048\/uploads\/wdioj124.swf  http:\/\/159.203.185.4\/uploads\/SilverApp1.xap  http:\/\/46.101.101.142\/d\/5f9987ccc0625389623525a46116f048\/?q=r4&r=28bac89052d8b2cb744a71a57b824a84&e=cve20146332<\/pre>\n
New Terror EK patterns:<\/p>\n
http:\/\/46.166.185.57\/9bfJS8fGH3ajrwj5oLPi3ml8\/1nMSGFjFkw5a.php  http:\/\/46.166.185.57\/9bfJS8fGH3ajrwj5oLPi3ml8\/ovRHl8aX9cp4\/NyhUcUzgwLZe.swf  http:\/\/46.166.185.57\/9bfJS8fGH3ajrwj5oLPi3ml8\/Zgtb0yL6c0qS\/vACS5uJmHoxe.swf  http:\/\/46.166.185.57\/9bfJS8fGH3ajrwj5oLPi3ml8\/Si7RBmLPbtk3\/EZZ0lzVwV8ds.swf  http:\/\/46.166.185.57\/9bfJS8fGH3ajrwj5oLPi3ml8\/Gopu04Ttg5s1.php<\/pre>\n
Flash exploits:<\/p>\n
7c9c76fbf156fbc5bffbfce1033d06a35b64cee49c01b09df47fa2642ad1a0b6  890f8756e6ab3bd62a2c3fbd098471e17db56808b19018119c0ad4a26ed7060f  97f107853c99b0de95a3e5b84ad1435e31cb42bd05d495d585e18f81a59a362d<\/pre>\n
Andromeda:<\/p>\n
6b40885fefbce6b1422f568a966c63e2468408f8f979746617c115070fbdd3fe<\/pre>\n
Smoke Loader:<\/p>\n
537ea229cc0d4b65e27ae59286a712a1a8f0f5630b2a945c71d86f6c5dbed848<\/pre>\n
The post Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 11 Apr 2017 21:12:19 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
With another player out at the moment, we take a look at a rebranded exploit kit in current malware campaigns.<\/p>\n
Categories: <\/p>\n