GONDAD EXPLOIT KIT

2013-11-15 - GONDAD EXPLOIT KIT DELIVERS GONDAD.EXE

I don't know if this was a coincidence, but the name of a malware EXE stored in an infected VM's temp folder matches the name of an exploit kit that triggered on the IDS.  In this case, two events triggered on a Gondad exploit kit, while the malware in the AppData\Local\Temp folder was named gondad.exe.

Screen shot from the infected VM.

Gondad is a Chinese crimeware exploit kit, and you can read more about it here or here.  Let's see what the infection traffic looks like...

SNORT EVENTS

I used Security Onion to monitor a vulnerable Windows VM running Java 6 update 25.  The infection traffic generated the following events in Sguil (all times GMT):

• 23:31:18 - 211.233.50.214 port 80 - LOCAL_HOST port 52337 - ET CURRENT_EVENTS GondadEK Landing Sept 03 2013
• 23:31:18 - 211.233.50.214 port 80 - LOCAL_HOST port 52338 - ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013
• 23:31:18 - 211.233.50.214 port 80 - LOCAL_HOST port 52340 - ET INFO JAVA - ClassID?
• 23:31:29 - LOCAL_HOST port 52344 - 211.233.50.214 port 80 - ET POLICY Vulnerable Java Version 1.6.x Detected
• 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET CURRENT_EVENTS Possible g01pack Jar download
• 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET INFO JAVA - Java Archive Download By Vulnerable Client
• 23:31:29 - 211.233.50.214 port 80 - LOCAL_HOST port 52344 - ET TROJAN Java Archive sent when remote host claims to send an image
• 23:31:29 - LOCAL_HOST port 52345 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
• 23:31:30 - LOCAL_HOST port 52346 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
• 23:31:30 - LOCAL_HOST port 52347 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
• 23:31:34 - LOCAL_HOST port 52348 - 211.233.50.214 port 80 - ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
• 23:31:39 - 223.130.89.28 port 80 - LOCAL_HOST port 52349 - ET POLICY PE EXE or DLL Windows file download

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 84.124.94.27 - musculosysexo.com - compromised website that channeled traffic to the exploit page
• 211.233.50.214 - www.inkwa.co.kr - exploit page that delivered the java exploit
• 223.130.89.28 - www.dcart.co.kr - malware delivery domain that sent the malicious EXE
• 61.147.124.125 - count17.51yes.com - 51yes.com is associated with malicious activity, and this domain possibly helped set up the malware delivery

INITIAL INFECTION CHAIN

• 23:31:14 - LOCAL_HOST port 52331 - 84.124.94.27 port 80 (musculosysexo.com) - GET /
• 23:31:19 - LOCAL_HOST port 52337 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/index.html
• 23:31:20 - LOCAL_HOST port 52338 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/swfobject.js
• 23:31:20 - LOCAL_HOST port 52340 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/jpg.js
• 23:31:23 - LOCAL_HOST port 52343 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /favicon.ico
• 23:31:20 - LOCAL_HOST port 52341 - 61.147.124.125 port 80 (count17.51yes.com) - GET /click.aspx?id=170133288&logo=3
• 23:31:22 - LOCAL_HOST port 52342 - 61.147.124.125 port 80 (count17.51yes.com) - GET /sa.htm?id=170133288&refe=&location=http%3A//www.inkwa.co.kr/w3c/w/index.html&[long string]
• 23:31:31 - LOCAL_HOST port 52344 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/vekqkr2.jpg  [NOTE: Java exploit]
• 23:31:31 - LOCAL_HOST port 52345 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/com.class
• 23:31:32 - LOCAL_HOST port 52346 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/edu.class
• 23:31:32 - LOCAL_HOST port 52347 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/net.class
• 23:31:36 - LOCAL_HOST port 52348 - 211.233.50.214 port 80 (www.inkwa.co.kr) - GET /w3c/w/org.class
• 23:31:41 - LOCAL_HOST port 52349 - 223.130.89.28 port 80 (www.dcart.co.kr) - GET /kcp/winlog.exe  [NOTE: malicious EXE]

POST INFECTION CALLBACK TRAFFIC

• 23:31:52 - Standard query 0xd8b9 A qqq.qesff.com
• 23:31:52 - Standard query response 0xd8b9 A 112.218.71.110
• 23:31:52 - LOCAL_HOST port 52350 - 112.218.71.110 port 8081 - [SYN]
• 23:31:52 - 112.218.71.110 port 8081 - LOCAL_HOST port 52350 - [SYN, ACK]
• 23:31:52 - LOCAL_HOST port 52350 - 112.218.71.110 port 8081 - [ACK]
• 23:31:52 - LOCAL_HOST port 52350 - 112.218.71.110 port 8081 - [PSH, ACK] 488 bytes
• 23:31:52 - 112.218.71.110 port 8081 - LOCAL_HOST port 52350 - [ACK]

 

INFECTION TRAFFIC DETAILS

IP address: 84.124.94.27 port 80
domain name: musculosysexo.com
HTTP request: GET /

Sguil events: None

Screenshot of traffic:

I couldn't figure out how it got from here to the next step in the infection chain.

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/index.html

Sguil event: ET CURRENT_EVENTS GondadEK Landing Sept 03 2013

Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern:3,20; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:trojan-activity; sid:2017408; rev:2;)

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/swfobject.js

Sguil event: ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013

Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK? Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:9;)

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/jpg.js

Sguil event: ET INFO JAVA - ClassID?

Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - ClassID?"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:1;)

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/vekqkr2.jpg

Sguil events:

• ET POLICY Vulnerable Java Version 1.6.x Detected
• ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
• ET CURRENT_EVENTS Possible g01pack Jar download
• ET INFO JAVA - Java Archive Download By Vulnerable Client
• ET TROJAN Java Archive sent when remote host claims to send an image

Rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET POLICY Vulnerable Java Version 1.6.x Detected "; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"65"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.gif; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:trojan-activity; sid:2016321; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A|PK"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2014473; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java Archive sent when remote host claims to send an image"; flow:established,from_server; content:"Content-Type|3a| image"; nocase; http_header; content:"|0d 0a 0d 0a|PK"; fast_pattern; content:"META-INF/MANIFEST"; distance:0; classtype:trojan-activity; sid:2014288; rev:1;)

Screenshot of traffic:

 

IP address: 211.233.50.214 port 80
domain name: www.inkwa.co.kr
HTTP request: GET /w3c/w/com.class
HTTP request: GET /w3c/w/edu.class
HTTP request: GET /w3c/w/net.class
HTTP request: GET /w3c/w/org.class

Sguil events:

• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
• ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class

NOTE: These HTTP GET requests all returned a response of 404 Not Found

 

IP address: 223.130.89.28 port 80
domain name: www.dcart.co.kr
HTTP request: GET /kcp/winlog.exe

Sguil event: ET POLICY PE EXE or DLL Windows file download

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:18;)

Screenshot of traffic:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 211.233.50.214 port 80 (www.inkwa.co.kr):

https://www.virustotal.com/en/file/365d664cf30a569b56f829806fe57e8b31289515b8d5425fd83e3e465cf084fa/analysis/1384564026/

File name:  2013-11-15-java-exploit.jar
File size:  2.4 KB ( 2463 bytes )
MD5 hash:  c0d693e9c3c41c217541f5db7de6f459
Detection ratio:  9 / 46 
First submitted:  2013-11-16 01:07:06 GMT 
This appears to be based on CVE-2011-3544, which is effective against Java 6 update 27 and earlier.

Java archive: contents:

Malicious binary downloaded from 223.130.89.28 port 80 (www.dcart.co.kr):

https://www.virustotal.com/en/file/a71ba4a221ffb1c60c8c937548cf0ea91d2393969aaf2364454f0796f9f688d0/analysis/1384564048/

File name:  2013-11-15-malicious-binary.exe 
File size:  45.5 KB ( 46592 bytes )
MD5 hash:  1297b79f039b802fc09bcada1d3763e7
Detection ratio:  12 / 46
First submitted:  2013-11-15 14:49:21 GMT 

Most of the AV companies listed on the Virus Total entry have identified this malware as a variant of Unruy.  Unruy appears to be a Trojan downloader.  We saw it call out, but no additional malware was downloaded in this case.