söndag 16 februari 2014

Dropnote #1 - Sweet Orange EK-rental(?)

"Dropnotes" are mainly an "online notebook" to share my notes as I go along

So I was checking my honeypot logs and was noticing C2-traffic towards the domain doubleclick-ads.pw, being a .pw-domain and all, I started investigating the event.

The traffic seen was POST requests directed to doubleclick-ads.pw/js/order.php, the sample itself was initially found on fatburrito.pw/GameHacks.exe [VT].

As with all C2-traffic, it would be interesting to identify the panel as well as any other artifacts hosted on the server.

Resolving doubleclick-ads.pw (doubleclick-ads.pw)... 162.248.166.113
Connecting to doubleclick-ads.pw (doubleclick-ads.pw)|162.248.166.113|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: ./blah.php [following]
--2014-02-16 12:21:03--  h00p://doubleclick-ads.pw/js/blah.php
Connecting to doubleclick-ads.pw (doubleclick-ads.pw)|162.248.166.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
This resulted in a picture being showed ment as a "joke" to for example researchers. The pictures are located in doubleclick-ads.pw/js/img/bp/[0-10].jpg. As I was browsing around checking for indexes I was always presented with a random image. Moving on...

While requesting the root-page, this is when it got interesting as it was loading an iframe:


Which lead to yet another iframe:
A few things to note regarding the above shots. All of the pages is being reported as malicious, including the last one which points to Sweet Orange Exploit Kit (same pattern as published by @kafeine)
The reason why I wanted to highlight the URL is due to the digit '/spot8/', this speaks "There is more here!" to me so I started changing the numbers and found that 1-9 are valid folders and all generated an iframe which pointed to Sweet Orange (number 9 generated two iframes, same domain, but different URL's).

Searching urlquery revealed another pattern xxxpass.info/spota/index.php which generated results(!):

Sadly, only '/spota/' was found to be a valid folder, but as the pattern '/spotX/' repeats, I found that once again 1-9 was valid and allowing directory indexing:

The files are quite self-explained:
getnewlink.php - Generate a new link and saves it to link.txt.
link.txt - Holds the link to where the iframe on xxxpass.info should point.
stats.php - Administration and statistics for Sweet Orange Exploit kit.

Misc
While I was monitoring the iframes generated I found that a new URI is generated every 60 seconds and a new domain/subdomain is generated every 60 minutes [Pastebin]
Hosts involved - urlquery (@urlquery)
botnethosting.com on cybercrime-tracker.net - Cybercrime-tracker.net (@Xylit0l) 
Upplagd av kl.
Etiketter: , , ,

Inga kommentarer:

Skicka en kommentar

Prenumerera på: Kommentarer till inlägget (Atom)