Landingpages bites the dust - Sweet Orange

Sweet Orange (SO) have become more and more rare lately but it's one of the kits that haven't changed at all when it comes to the landingpage.

Basic Structure

SO carries one of the biggest landingpages of all the kits with a size of 280-300Kb, all of which includes a string of 6-8 bytes that works as a delimiter for the "main" script in the landingpage.

It also includes some legitimate HTML to make it look like a legitimate webpage, and the content is actually from real webpages. The sample used in this post can be found on [pastebin]. Using Google it's found that the HTML originates from www.mariposamuseum.org/world_instruments03.html, the difference is that the word Idiophones have been replaced with Large Cloud:

Sweet Orange HTML compared to legitimate webpage

 After the decoy HTML, the malicious script starts. The plugin detection is hidden in a li-tag which is subject for replacement at the bottom of the landingpage.

There is two levels of obfuscation, first the delimiter will be removed, revealing the main script however, all &, <,  > and % are nowhere to be found. Those are added at the end using String.replace in the second level.

String replacement in landingpage

Client identification

The main script [pastebin] checks for browser version and Flash version before launching any exploits. The function names are not obfuscated, making it easy to read.

Check browser and launch IE exploit

Check Flash and launch Flash exploit

Last but not least, a JNLP will be loaded in preparation for Java exploitation.

There isn't really that much to it in terms of advanced techniques or tricks.

Detection

Here is a few examples taken from Sweet Orange throughout the year.
2014-04-20:

ubjCzzjOSb = jinLOqHUrn.substring(60).replace(/jeR--_33S/, "");
ubjCzzjOSb = ubjCzzjOSb["xRadwPhBvkonCnYGSLGSNR".charAt(21).toString().toLowerCase() + "zQYbiTsKBgHRMmboJTCAUePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__mb3__/, "<");
ubjCzzjOSb = ubjCzzjOSb["BVsXCvUwSbVDbYmIAxdwKR".charAt(21).toString().toLowerCase() + "BuMUiFRjDVDxOELrHlydsePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Ob8__/, ">");
ubjCzzjOSb = ubjCzzjOSb["VgIvbfxtpUcdELmXlPMuDR".charAt(21).toString().toLowerCase() + "cluTqHOwGCviXBvPObDlaePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Hb7__/, "&");
ubjCzzjOSb = ubjCzzjOSb["UJchLeVPhClZLEBVWleeBR".charAt(21).toString().toLowerCase() + "RzifGzNyuLgkuWfsJdvktePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Nc0__/, "%");

2014-06-28:

mmSGqncKVi = DkPBNuJiFk.substring(60).replace(/ZJXm-_7q2/, "");
mmSGqncKVi = mmSGqncKVi["svcUQTPiOxzQewMHjxUSmR".charAt(21).toString().toLowerCase() + "ynnIJcpckBccKDamANMALePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__hhg7_/, "<");
mmSGqncKVi = mmSGqncKVi["IJvXqlxwzJjPMiYeTCdJUR".charAt(21).toString().toLowerCase() + "XTLpgjtTeESBeyEKjWQhGePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Db8__/, ">");
mmSGqncKVi = mmSGqncKVi["fCDSsWebkuqhbWMWbZLChR".charAt(21).toString().toLowerCase() + "lkgHcnCcpWveIGpoYMNStePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/_uio0__/, "&");
mmSGqncKVi = mmSGqncKVi["uNADVNFPkHZaUlEcMVVyTR".charAt(21).toString().toLowerCase() + "tUFiudmZYpEKgtNxoehPuePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__cc0__/, "%");

2014-08-20:

PoBpsXFGOP = jUkalrchvM.substring(60).replace(/n5Xc4_7w9/, "");
PoBpsXFGOP = PoBpsXFGOP["hhFcPPScoahJvsMypMhooR".charAt(Math.sqrt(441)).toString().toLowerCase() + "ghoAJERaNwXAkWJcmsXBoePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__hhg7_/, "<");
PoBpsXFGOP = PoBpsXFGOP["qaBaJkOMfRPHHqyRBmGnZR".charAt(Math.sqrt(441)).toString().toLowerCase() + "LNlIfrpfGHpeqyJtyGMJlePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__Db8__/, ">");
PoBpsXFGOP = PoBpsXFGOP["gfZrLHSdOjKprxNoOQqXFR".charAt(Math.sqrt(441)).toString().toLowerCase() + "KzlUJPpCvqIVcAZhjsNGZePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/_uio0__/, "&");
PoBpsXFGOP = PoBpsXFGOP["LBeVqPfZzJLqgNhrMJNIMR".charAt(Math.sqrt(441)).toString().toLowerCase() + "wXWMEtMqIJmHaazzTqEOcePl".substring(21, 28).toLowerCase() + "Ace".toLowerCase()](/__cc0__/, "%");

It's found that the pattern below is consistent in all the landingpages (not limited to above samples).

.substring(21, 28).toLowerCase() + "Ace".toLowerCase()]

This would enable for detecting and blocking Sweet Orange before any exploits gets to be launched.

 Resources 

Check out Malware-traffic-analysis.net for more examples and live traffic from Sweet Orange. The post include links to all captures done by @malware_traffic (big thanks for providing data!).