2014-08-20 - SWEET ORANGE EK FROM 95.163.121[.]188 - CDN.SEEFOO[.]CO:16122 AND CDN3.SEEFOO[.]NET:16122

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-08-20-Sweet-Orange-EK-traffic.pcap.zip
• 2014-08-20-Sweet-Orange-EK-malware-and-artifacts.zip

 

NOTES:

• The infected VM was running IE 8 and was infected using a CVE-2013-2551 MSIE exploit.
• No other exploits were noted in the exploit kit traffic.
• I added port 16122 to the $HTTP_PORTS variable in the config files for Snort and Security Onion, because this port has been routinely used by Sweet Orange EK.

 

PREVIOUS BLOG ENTRIES ON SWEET ORANGE EK:

• 2014-08-18 - Sweet Orange EK from 95.163.121[.]188 - google.chagwichita[.]com:16122 and google.ajdistributor[.]com:16122
• 2014-07-24 - Sweet Orange EK from 94.185.82[.]194 - cdn.abistra[.]co:16122 and cdn.georgicapartners[.]com:16122
• 2014-07-08 - Sweet Orange EK from 94.185.82[.]199 - cdn.ahastore[.]net:16122
• 2014-06-28 - Sweet Orange EK from 94.185.80[.]43 - nulaptra.indolocker[.]com:8590 and tyjalos.tornado-365[.]com:8590
• 2014-06-12 - Sweet Orange EK from 82.118.17[.]172 - img.blueprint-legal[.]com:16122 and img.lawandmarket[.]org:16122
• 2014-05-05 - Sweet Orange EK from 93.171.173[.]113 - 124124.ttl60[.]com (port 80)
• 2014-04-20 - Sweet Orange EK from 195.16.88[.]159 - seek7er.epicgamer[.]org:9290 and seek12er.shellcode[.]eu:9290
• 2014-02-04 - Sweet Orange EK from 82.146.54[.]38 - destingshugo[.]us:60012
• 2014-01-26 - Sweet Orange EK from 82.146.35[.]151 - drydgetypess[.]us and likestwittersfoll[.]us (port 80)

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 192.187.108[.]34 - thingkid[.]com - Compromised website
• 50.87.147[.]43 - src.sandcastlesmagazine[.]com - Redirect
• 95.163.121[.]188 - cdn.seefoo[.]co:16122 and cdn3.seefoo[.]net:16122 - Sweet Orange EK

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

• 23:49:19 UTC - 192.187.108[.]34:80 - thingkid[.]com - GET /
• 23:49:22 UTC - 192.187.108[.]34:80 - thingkid[.]com - GET /wp-content/themes/vastkid.com/js/jquery.jcarousel.min.js
• 23:49:23 UTC - 50.87.147[.]43:80 - src.sandcastlesmagazine[.]com - GET /k?t=1713634574

 

SWEET ORANGE EK:

• 23:50:04 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/stargalaxy.php?nebula=3
• 23:50:09 UTC - 95.163.121[.]188:16122 - cdn3.seefoo[.]net:16122 - GET /cars.php?radio=297&ports=446&timeline=4&voip=10&image=171&
  java=319&blue=44&rates=619
• 23:50:20 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/applet.jnlp
• 23:50:20 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/testi.jnlp
• 23:50:21 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/applet.jnlp
• 23:50:21 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/testi.jnlp
• 23:50:21 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/applet.jnlp
• 23:50:21 UTC - 95.163.121[.]188:16122 - cdn.seefoo[.]co:16122 - GET /dict/stuff/testi.jnlp

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD:

File name:  2014-08-20-Sweet-Orange-EK-malware-payload.exe
File size:  245,760 bytes
MD5 hash:  79f3ce6a26e9d0b559f0218ef55abf25
Detection ratio:  15 / 53
First submission:  2014-08-20 17:52:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e75f0c6016c79fce9bc300ae37696d1cde01eb5f273e4d4098b1569a36eab36/analysis/

 

ALERTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2014-08-20 23:49:23 UTC - 192.187.108[.]34:80 - ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage (sid:2012119)
• 2014-08-20 23:50:04 UTC - 95.163.121[.]188:16122 - ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page (sid:2018786)
• 2014-08-20 23:50:20 UTC - 95.163.121[.]188:16122 - ET CURRENT_EVENTS Sweet Orange EK Common Java Exploit (sid:2018583)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS:

• 2014-08-20 23:49:23 UTC - 192.187.108[.]34:80 - [1:23481:4] INDICATOR-OBFUSCATION hex escaped characters in setTimeout call
• 2014-08-20 23:50:20 UTC - 95.163.121[.]188:16122 - [1:30960:1] EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (x3)

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript from compromised website (the second highlighted portion shows the redirect URL, partially obfuscated using hex encoding):

 

Redirect pointing to Sweet Orange EK landing page:

 

Sweet Orange EK landing page with what I assume is the CVE-2013-2551 MSIE exploit, obfuscated (full text is included in the malware zip file):

 

Sweet Orange EK delivering the malware payload:

 

Click here to return to the main page.