2014-06-08 - INFINITY EK FROM 46.226.194[.]6 - ELITECAD[.]GR

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-06-08-Infinity-EK-traffic.pcap.zip
• 2014-06-08-Infinity-EK-malware.zip

NOTES:

• This is the same compromised website as seen on 2014-06-04, but with a different redirect and a different domain for Infinity EK.
• The malware payload is the same as last time; however, the Flash and Silverlight exploits have been updated since then.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 213.5.176[.]14 - www.johnknightglass[.]co[.]uk - Compromised website
• 195.191.148[.]38 - dbk-dimitrov[.]com - Redirect
• 46.226.194[.]6 - elitecad[.]gr - Infinity EK
• 87.118.90[.]136 - 87.118.90[.]136 - Post-infection callback

COMPROMISED WEBSITE AND REDIRECTS:

• 18:14:58 UTC - www.johnknightglass[.]co[.]uk - GET /
• 18:15:00 UTC - dbk-dimitrov[.]com - GET /clik.php?id=9959892
• 18:15:00 UTC - dbk-dimitrov[.]com - GET /clik.php?id=9959868
• 18:15:01 UTC - dbk-dimitrov[.]com - GET /clik.php?id=9959869
• 18:15:05 UTC - dbk-dimitrov[.]com - GET /clik.php?id=9959897
• 18:15:31 UTC - dbk-dimitrov[.]com - GET /clik.php?id=9959893

INFINITY EK:

• 18:15:00 UTC - elitecad[.]gr - GET /uk/phpdownloader.html
• 18:15:00 UTC - elitecad[.]gr - GET /uk/phpdownloader.html
• 18:15:02 UTC - elitecad[.]gr - GET /uk/phpdownloader.html
• 18:15:03 UTC - elitecad[.]gr - GET /6324.swf
• 18:15:05 UTC - elitecad[.]gr - GET /6324.swf
• 18:15:05 UTC - elitecad[.]gr - GET /8908.xap
• 18:15:05 UTC - elitecad[.]gr - GET /8908.xap
• 18:15:07 UTC - elitecad[.]gr - GET /uk/phpdownloader.html
• 18:15:08 UTC - elitecad[.]gr - GET /57.mp3?rnd=01886
• 18:15:09 UTC - elitecad[.]gr - GET /57.mp3?rnd=28529
• 18:15:10 UTC - elitecad[.]gr - GET /57.mp3?rnd=08386
• 18:15:29 UTC - elitecad[.]gr - GET /57.mp3?rnd=43668
• 18:15:30 UTC - elitecad[.]gr - GET /57.mp3?rnd=31166
• 18:15:31 UTC - elitecad[.]gr - GET /3207721367.mp3?rnd=18629

POST-INFECTION CALLBACK TRAFFIC:

• 18:16:48 UTC - 87.118.90[.]136 - POST /news/index.php
• 18:16:49 UTC - 87.118.90[.]136 - POST /news/index.php
• 18:16:50 UTC - 87.118.90[.]136 - POST /news/index.php

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-06-08-Infinity-EK-flash-exploit.swf
File size:  4,475 bytes
MD5 hash:  ec5f5f2b85f6f133ef25d09ef6908686
Detection ratio:  1 / 50
First submission:  2014-06-08 23:27:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2179aa43de0d3fcac429e1f528412043799f94942dc941a5ffa36233c8406531/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-06-08-Infinity-EK-silverlight-exploit.xap
File size:  6,242 bytes
MD5 hash:  6728d803252532e11e2a2f62b069598b
Detection ratio:  6 / 51
First submission:  2014-06-08 23:28:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/430a044651af3ef0a4cb9443bfb5e2997d5de5aa8c59915294c94fdcf073b2bf/analysis/

 

MALWARE PAYLOAD

File name:  2014-06-08-Infinity-EK-malware-payload.exe
File size:  117,760 bytes
MD5 hash:  431d2ac68d63bbf30e3b5636ca1ae823
Detection ratio:  33 / 51
First submission:  2014-05-30 11:48:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/41b1a1ec61b2c8aa683f0310e3075d7d29d97fbe883d6e953ff2260417d38fe7/analysis/

 

ALERTS

ALERTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

Emerging Threats and ETPRO rulesets:

• 2014-06-08 18:15:00 UTC - 46.226.194[.]6:80 - ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014 (sid:2018440)
• 2014-06-08 18:15:05 UTC - 46.226.194[.]6:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
• 2014-06-08 18:15:08 UTC - 46.226.194[.]6:80 - ET CURRENT_EVENTS GoonEK encrypted binary (3) (sid:2018297)
• 2014-06-08 18:15:08 UTC - 46.226.194[.]6:80 - ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download (sid:2017998)
• 2014-06-08 18:15:14 UTC - 95.211.195[.]245:53 - ET CURRENT_EVENTS DNS Query Domain .bit (sid:2017645)
• 2014-06-08 18:16:48 UTC - 87.118.90[.]136:80 - ETPRO TROJAN Win32/Necurs Checkin 4 (sid:2808090)

Sourcefire VRT ruleset:

• 2014-06-08 18:15:08 UTC - 46.226.194[.]6:80 - EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download (sid:30934)
• 2014-06-08 18:15:08 UTC - 46.226.194[.]6:80 - EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (sid:30319)

 

SCREENSHOTS FROM THE TRAFFIC

Embedded javascript in page from compromised website:

 

Redirect pointing to Infinity EK:

 

Click here to return to the main page.