2014-11-13 - FIESTA EK FROM 205.234.186.110 - BETAMEDSEARCH.IN

ASSOCIATED FILES:

• ZIP of the pcap:  2014-11-13-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-11-13-Fiesta-EK-malware.zip

 

NOTES:

• Since early- to mid-October 2014, the gate used by this actor (normally pointing to Fiesta EK) moved to 94.242.216.64.
• Currently, this gate leads to Fiesta EK from the 205.234.186.0/24 range.  So far, I've seen 205.234.186.109 and 205.234.186.110.
• Because of recent changes in Fiesta, I'm not seeing as many EmergingThreats signatures as before; however, they still do a good job catching this exploit kit.
• I didn't see any VRT signatures trigger on today's Fiesta EK patterns, although VRT did catch the post-infection traffic.

 

BLOG ENTRIES ON FIESTA WITH CURRENT PATTERNS FROM THIS ACTOR:

• 2014-10-26 - Fiesta EK from 205.234.186.109 - hematitetekki.biz
• 2014-11-01 - Fiesta EK from 205.234.186.109 - conocarpusgeorgsimonohm.us
• 2014-11-13 - Fiesta EK from 205.234.186.110 - betamedsearch.in

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 69.167.176.10 - www.autogeekonline.net - Compromised website
• 94.242.216.64 - evgeneevich.com - Redirect/gate
• 205.234.186.110 - betamedsearch.in - Fiesta EK

• 79.142.66.239 - report.5i5qg5iq5w5u5m5.com - Post-infection traffic triggering Simda alerts
• 5.149.248.152 - report.5i5qg5iq5w5u5m5.com - Post-infection traffic triggering Simda alerts
• 5.149.248.152 - update.8kxkslrbaw.com - Post-infection traffic triggering Simda alerts
• 5.149.248.152 - update.roighh5.com - Post-infection traffic triggering Simda alerts

 

COMPROMISED WEBSITE AND REDIRECT:

• 2014-11-13 14:29:15 UTC - www.autogeekonline.net - GET /
• 2014-11-13 14:29:16 UTC - evgeneevich.com - GET /?JqE_1T=dzM68L8qt16uTdl&_3D=al8RXeLv1r8fhf&lnqwO=UbVSfM8jGfJaiP3t4j&CPW7g=dXK2W9gb30OaN&
  ifY=t3ssf1W0qRd3Vi1

 

FIESTA EK:

• 2014-11-13 14:29:34 UTC - betamedsearch.in - GET /die9a2r1/imN1WB1xr70SFoh10hsP
• 2014-11-13 14:29:36 UTC - betamedsearch.in - GET /die9a2r1/36a0e651488d0fb80600580b570d0406030f58035e025701080355065155050606;120000;38
• 2014-11-13 14:29:38 UTC - betamedsearch.in - GET /die9a2r1/1ffdcd8fbfa33bf952160d5f515f0951015f5f5758505a560a5352525707085104;7
• 2014-11-13 14:29:44 UTC - betamedsearch.in - GET /die9a2r1/1ffdcd8fbfa33bf952160d5f515f0951015f5f5758505a560a5352525707085104;7;1
• 2014-11-13 14:29:46 UTC - betamedsearch.in - GET /die9a2r1/0ff8eb02b9304f66430a100357590105005f5f0b5e5652020b53520e5101000505;4060310
• 2014-11-13 14:29:50 UTC - betamedsearch.in - GET /die9a2r1/1f8cf5515dc1b13d5b085458540e0406015f01505d0157010a530c555256050604
• 2014-11-13 14:29:50 UTC - betamedsearch.in - GET /die9a2r1/24212c821bd141645346530a00580905020d0b0209575a02090106070600080507
• 2014-11-13 14:29:50 UTC - betamedsearch.in - GET /die9a2r1/33ea749fbfa33bf950430e5a050f0851030a5c520c005b56080651570357095106;5
• 2014-11-13 14:29:56 UTC - betamedsearch.in - GET /die9a2r1/33ea749fbfa33bf950430e5a050f0851030a5c520c005b56080651570357095106;5;1
• 2014-11-13 14:29:57 UTC - betamedsearch.in - GET /die9a2r1/46b24a99e839237c5b590009065a080e040f5b010f555b090f0356040002090101
• 2014-11-13 14:29:57 UTC - betamedsearch.in - GET /die9a2r1/24212c821bd141645346530a00580905020d0b0209575a02090106070600080507
• 2014-11-13 14:29:57 UTC - betamedsearch.in - GET /die9a2r1/46b24a99e839237c5b590009065a080e040f5b010f555b090f0356040002090101
• 2014-11-13 14:29:58 UTC - betamedsearch.in - GET /die9a2r1/24212c821bd141645346530a00580905020d0b0209575a02090106070600080507
• 2014-11-13 14:29:58 UTC - betamedsearch.in - GET /die9a2r1/24212c821bd141645346530a00580905020d0b0209575a02090106070600080507
• 2014-11-13 14:29:59 UTC - betamedsearch.in - GET /die9a2r1/1f8cf5515dc1b13d5b085458540e0406015f01505d0157010a530c555256050604
• 2014-11-13 14:30:00 UTC - betamedsearch.in - GET /die9a2r1/1f8cf5515dc1b13d5b085458540e0406015f01505d0157010a530c555256050604

 

POST-INFECTION TRAFFIC:

• 2014-11-13 14:29:44 UTC - report.5i5qg5iq5w5u5m5.com - GET /?c3sKUO31=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:29:45 UTC - report.5i5qg5iq5w5u5m5.com POST /
• 2014-11-13 14:29:45 UTC - update.8kxkslrbaw.com - GET /?rk=kayolpfanl6epN2j2aWlyMKplJeon9ek[long string of characters]
• 2014-11-13 14:29:46 UTC - report.5i5qg5iq5w5u5m5.com - GET /?E7a343=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:29:47 UTC - report.5i5qg5iq5w5u5m5.com - GET /?1oCE1a920=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:29:47 UTC - report.5i5qg5iq5w5u5m5.com - GET /?sK1yW312=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:14 UTC - report.5i5qg5iq5w5u5m5.com - GET /?17wS113=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:15 UTC - report.555aa555s5e55ku.com - GET /?5yWS5e531=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:16 UTC - report.555aa555s5e55ku.com POST /
• 2014-11-13 14:30:16 UTC - update.roighh5.com - GET /?5o=kayolpfanl7YqM6fzqFolMSh06mplsOonWa[long string of characters]
• 2014-11-13 14:30:16 UTC - report.555aa555s5e55ku.com - GET /?7u31i9q43=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:17 UTC - report.555aa555s5e55ku.com - GET /?31qG330=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:17 UTC - report.555aa555s5e55ku.com - GET /?7931c9317=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:17 UTC - report.555aa555s5e55ku.com - GET /?9gM7958=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:18 UTC - report.555aa555s5e55ku.com - GET /?55uOC55=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:23 UTC - report.555aa555s5e55ku.com - GET /?93mY916=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:34 UTC - report.555aa555s5e55ku.com - GET /?1c93uO909=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:45 UTC - www.bing.com - GET /chrome/report.html?K79g=%9B%EE%EDk%D9%DF%A5%8D%[long string of characters]
• 2014-11-13 14:30:46 UTC - report.555aa555s5e55ku.com - GET /?SK3y25=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:46 UTC - report.555aa555s5e55ku.com - GET /?55aAA5k57=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:46 UTC - report.555aa555s5e55ku.com - GET /?555q563=%96%9C%A8%A1%A8%DAge%[long string of characters]
• 2014-11-13 14:30:47 UTC - report.555aa555s5e55ku.com - GET /?yW7u3m18=%96%9C%A8%A1%A8%DAge%[long string of characters]

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-13-Fiesta-EK-flash-exploit.swf
File size:  9.8 KB ( 9985 bytes )
MD5 hash:  02b2aded61ec929eb8eab6302d51e707
Detection ratio:  3 / 53
First submission:  2014-11-10 17:18:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ab0a02f5c802bd38fc04d2764492a42cfe5016c8242b58453686200fbe208e80/analysis/

 

JAVA EXPLOIT

File name:  2014-11-13-Fiesta-EK-java-exploit.jar
File size:  7.9 KB ( 8085 bytes )
MD5 hash:  4ae884b9caa02524fab8bdd248dec92f
Detection ratio:  4 / 54
First submission:  2014-11-13 15:44:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/10973e16a16ad7c195634e26bc24ca3cbdab5abf8fc7ebda04159f2b6f5cb2d7/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-11-13-Fiesta-EK-silverlight-exploit.xap
File size:  9.5 KB ( 9773 bytes )
MD5 hash:  457c896b32cbf52db3397953bc26efee
Detection ratio:  5 / 55
First submission:  2014-11-13 15:45:14 UTC
VirusTotal link:  https://www.virustotal.com/en/file/718f92a945837ea7a11278db19733d42cb38b393dc17a8167a2eeb7657261496/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-13-Fiesta-EK-malware-payload.exe
File size:  673.0 KB ( 689152 bytes )
MD5 hash:  03384d3b5731e29d9345f274efce3653
Detection ratio:  3 / 52
First submission:  2014-11-13 15:45:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/8737344b728c4245c0ca89f884de1fea2e6fda328673166c2ba171ada12d612c/analysis/
Malwr link:  https://malwr.com/analysis/MmFlNmRmYWI5ZTEzNGZhNjhkZWUxMWU2NmM1YTNlMDE/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil after using tcpreplay on the pcap in Security Onion (not including ET INFO or ET POLICY rules):

• 205.234.186.110:80 - 192.168.137.22:50426 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (sid:2018411)
• 192.168.137.22:50426 - 205.234.186.110:80 - ET CURRENT_EVENTS Fiesta Flash Exploit URI Struct (sid:2019612)
• 192.168.137.22:50426 - 205.234.186.110:80 - ET CURRENT_EVENTS Fiesta URI Struct (sid:2018407)
• 192.168.137.22:50430 - 79.142.66.239:80 - ET TROJAN Simda.C Checkin (sid:2016300)
• 192.168.137.22:50432 - 5.149.248.152:80 - ETPRO TROJAN Backdoor.Win32.Simda.abpn Checkin (sid:2807145)
• 205.234.186.110:80 - 192.168.137.22:50428 - ET CURRENT_EVENTS Fiesta SilverLight 4.x Exploit URI Struct (sid:2019623)
• 192.168.137.22:50428 - 205.234.186.110:80 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download (sid:2018409)
• 205.234.186.110:80 - 192.168.137.22:50436 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (sid:2017509)
• 192.168.137.22:50436 - 205.234.186.110:80 - ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii (sid:2014912)
• 205.234.186.110:80 - 192.168.137.22:50440 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)

Signature hits from the Sourcefire VRT ruleset after reading the pcap in Snort 2.9.6.2 on Debian 7:

• 2014-11-13 14:29:16 UTC - 69.167.176.10:80 - 192.168.137.22:50318 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
• 2014-11-13 14:29:16 UTC - 69.167.176.10:80 - 192.168.137.22:50318 - [120:6:1] (http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
• 2014-11-13 14:29:41 UTC - 205.234.186.110 - 192.168.137.22 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 2014-11-13 14:29:44 UTC - 192.168.137.22:various - 79.142.66.239:80 - [1:22937:5] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (x17)
• 2014-11-13 14:29:45 UTC - 192.168.137.22:various - 5.149.248.152:80 - [1:26212:2] MALWARE-CNC Win.Trojan.Proxyier variant outbound connection (x2)
• 2014-11-13 14:30:45 UTC - 192.168.137.22:50473 - 204.79.197.200:80 - [1:20661:4] MALWARE-CNC Simbda variant outbound connection

 

SCREENSHOTS FROM THE TRAFFIC

Malicious javascript in page from compromised website:

 

Redirect (gate) pointing to Fiesta EK:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-11-13-Fiesta-EK-traffic.pcap.zip
• ZIP of the malware:  2014-11-13-Fiesta-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.