Starting on Wed, 31 July 2013, 18:54:50 Fox-IT’s monitoring system detected a redirect occurring on telegraaf.nl. It was another case of advertisement provider abuse.

One of the advertisement providers loaded ads from an outside resource which returned an exploit kit named “FlimKit” exploit kit.

After first being removed from telegraaf.nl a second exploit kit redirect dropping a similar payload with a different hash, a list of the dropped samples:

Payloads:

Java exploits seen used:

MD5 hashes of all samples seen:

a5df4884c44a4c812a4cc7a1c133238e

0e12760912ffeb6febe1bb790169eb35

a516e257177d6aa3d7edf3ff80c88304

dda3b490cd01690e12b280e5bb935bce

The HTTP-requests looked as follows for a client:

“GET hxxp://www.telegraaf.nl/ HTTP/1.1” – –

“GET hxxp://s.ads1337.com/s4a2npr35gmiogggggw0w0g8cw HTTP/1.1” – – “hxxp://www.telegraaf.nl/”

“GET hxxp://youradserv.com/adserver/cpvload2.php HTTP/1.1” – – “hxxp://s.ads1337.com/s4a2npr35gmiogggggw0w0g8cw”

“GET hxxp://sopixocyz.nl/0ha4hiozw1dzxegaehdg HTTP/1.1” – – “hxxp://youradserv.com/adserver/cpvload2.php”

The “sopixocyz” domain was the exploit kit. The domains use a form of DGA (domain generation algorithm) the following shows an analysis run done on a virtual machine:

“GET hxxp://youradserv.com/adserver/cpvload2.php HTTP/1.1”

“GET hxxp://ubaduroqi.nl/gk1mxwyeskomx9vohca HTTP/1.1” – – “hxxp://youradserv.com/adserver/cpvload2.php”

“GET hxxp://static.avast.com/web/i/form-close.png HTTP/1.1” – – “hxxp://ubaduroqi.nl/gk1mxwyeskomx9vohca

“GET hxxp://youradserv.com/favicon.ico HTTP/1.1”

“GET hxxp://ubaduroqi.nl/m2d1yiscwd HTTP/1.1”

“GET hxxp://ubaduroqi.nl/79dffb97cdemt7z7dtrwcysmb9.jar HTTP/1.1”

“GET hxxp://ubaduroqi.nl/m2d1yiscwd HTTP/1.1”

“GET hxxp://ubaduroqi.nl/m2d1yiscwd HTTP/1.1”

“GET hxxp://ubaduroqi.nl/fc43a11b2f0maovn8u9ieje7 HTTP/1.1”

“GET hxxp://obofonaxy.nl/X3SE7pFtYnh5Lm1tb2JvZm9DYXh5Lm4= HTTP/1.1”

Java was targeted for the attack using CVE-2012-1723 and CVE-2013-2423. The files dropped by this kit were (in our case, filenames are randomized):

rysxtbciqycmxeedc.dll

rysxtbciqycmxeedc.exe

After running the user is prompted with the following window which blocks any interaction to the rest of the desktop:

The odd part is that the whole thing is hosted on NL based servers and the DGA domains are also NL this is quite rare.

The IP’s involved in the exploit kit and payload domain are:

128.204.202.41

46.182.106.96

A small sample of the DGA domains we encountered:

aqaxiboqe.nl

codudiref.nl

ducyqaxas.nl

fojavexuz.nl

obofonaxy.nl

obyfyfexe.nl

ubaduroqi.nl

sopixocyz.nl

Cleanup

Because the malware blocks all interaction with the desktop and modifies various registry keys it is quite hard to do a cleanup manually or automated.

There is however a solution to disable the malware from running so you can backup your files and do a reinstall.

This will only work if another account is available on the machine. Reboot the machine in safe mode and enter into a networked mode using the other user. Using your own user will make the machine reboot on logon, this is done by the malware.

When logged in you can locate the binaries in %temp%, this is where they were dropped from the exploit kit: %systempath%\temp\<random filename>.exe (%systempath% translates as the Windows folder on your main drive)

Remove/Move/Rename those files and reboot the machine. When rebooted, the machine will show the desktop without explorer running and only a command prompt showing an error. This is the malware not being able to start:

Run “explorer” in the command prompt in order to get the taskbar and file browser back. Start backing up files and reinstall the machine when done.

The malware makes various edits in the registry and cleaning up all of these is time consuming and not per se successful. This method does allow file backups.

Alternatively you can use HitmanPro.Kickstart to clean up your PC.

Yonathan Klijnsma, Security Specialist at Fox-IT