Basic structure
Fiesta is using string obfuscation to hide links to exploits which then is concatenated to form the landingpage. There isn't much to it than that, moving on to the client identification and detection.Client identification
Fiesta doesn't employ any detection for anti-virus or virtual environment as Angler nor using PluginDetect, but simply uses it's own implementation of detecting installed plugins.It will run the detection for each plugin, top to bottom and directly after each check it will load an exploit if the plugin is found to be vulnerable as shown below (comments added by me):
The sample from above can be found here; [pastebin, raw] [pastebin, decoded]
Detection
Fiesta have made small changes to the URI to the landingpage during the last year using for example:domain.tld/anfjsf4/2
domain.tld/skejgq7/?1
domain.tld/ajdw2ja/osf3tyzhuohcvpxoythoclzqruiis6rxd9w
The landingpage however haven't been changed more than the obfuscation key, which is changed every 7 days (approximately).
The key can be identified in the first Javascript function in the response as shown in the PCAP's below:
Example one:
Example two:
Example three:
Example two and three is using the same key but the rest differs, for example function and variable names, the key however stays the same.
The same key will also be used for deobfuscating the IE exploit.
Resources
This script can be used to decode the strings in the landingpage [pastebin].More examples of Fiesta can be found from malware-traffic-analysis.net
Inga kommentarer:
Skicka en kommentar