A couple of weeks ago at the FOX-IT SOC, we noticed Zuponcic attempting to infect one of our clients protected networks. The incident was caused by a person visiting the website of Suriname’s Ministry of Finance, minfin.sr.

This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit kit and the Ponmocup botnet. It seems that the defacto standard of exploit kits is getting competition. Understanding how this exploit kit works will give you a better chance of defending against it and for identifying the .htaccess compromise on your server.

Looking back at clients that have been affected by Zuponcic there had been a significant increase in compromised websites serving this kit starting June 2012, including some relatively big Dutch websites along the way, such as iphoneabonnementen.nl and tboek.nl.

This is interesting as websites hosting this kit have to be compromised due to the nature of the redirects. It seems the trend of using compromised website to attack users continues. As a sidenote, Zuponcic is not the actual name of this exploit kit, its real name is unknown. The first website it was found redirecting on was zuponcic.com, this is where the name came from.

Analysis of the attack

The way in which someone has to land on a compromised website for Zuponcic to become active is very carefully crafted and the redirection process is dependent on multiple conditions. This process is started via an .htaccess file which is placed in every (sub)folder of the compromised host. This file makes sure the referrer is either a search engine, webmail or social media website and that crawlers are not affected by checking for known IP’s and user-agents. A sample of this .htaccess file on a compromised server:

If all of these conditions are met, the victim is redirected to the Zuponcic landing page via one of the 60 redirection patterns a single .htaccess file has to offer. These redirect patterns try to follow the ones seen in legitimate advertise networks. They imitate urls seen for OpenX, Google Ads and a lot of others, this to mask its true redirect purpose. In the htaccess the section of the fake advertisement URL redirects looks like this:

Mapping this whole redirection scheme in a flowchart looks like this:

After the redirection process, Zuponcic carefully attempts to infect the victim, this type of attack is dependent on the victims setup. The flow for the attack looks like this:

Zuponcic only targets Java on the clients from what we have seen. Besides Java exploits, Zuponcic also tries to social engineer the user. When a victim does not have Java enabled or the browser used is not Internet Explorer, a ZIP file is presented. This file has to manually be downloaded and executed by the victim. To make the download seem appealing, a form of social engineering is used by having the name of the ZIP file consist of two random triggers words in combination with the keyword(s) used in the search engine.

The attack initiated when a victim uses Internet Explorer 8, originally described on Malwageddon’s blog, used a signed Java Applet to perform a drive-by.

The Java applet is signed with a valid certificate which is most likely stolen. During the Zuponcic campaign three of these certificates have been spotted. The two certificates originally used belonged to Triton IT d.o.o (UserTrust) and R.P. InfoSystems (VeriSign). After both of these had expired the switch was made to the certificate owned by “Kurz Instruments, Inc.” (GlobalSign), and is currently still being used:

We have seen the following 3 certificates being used on the different Java exploits used by Zuponcic:

Subject : Kurz Instruments, Inc.

: Kurz Instruments, Inc. Fingerprint : 8A:DC:2D:8B:B5:3C:DC:93:C9:80:C4:F6:C0:80:59:73:8B:88:19:16

: 8A:DC:2D:8B:B5:3C:DC:93:C9:80:C4:F6:C0:80:59:73:8B:88:19:16 Issuer: GlobalSign

Subject : R P Infosystems Pvt Ltd

: R P Infosystems Pvt Ltd Fingerprint : BB:48:74:0F:01:E6:7F:EE:A6:06:96:4B:D5:81:A7:30:BF:D0:54:D7

: BB:48:74:0F:01:E6:7F:EE:A6:06:96:4B:D5:81:A7:30:BF:D0:54:D7 Issuer: VeriSign

Subject : iLoq Oy

: iLoq Oy Fingerprint : 76:90:09:5B:C3:FC:9F:9D:74:98:56:F6:E1:DD:22:C0:89:44:F7:F9

: 76:90:09:5B:C3:FC:9F:9D:74:98:56:F6:E1:DD:22:C0:89:44:F7:F9 Issuer: VeriSign

If a victim uses Internet Explorer 10, a JAR file is sent to at that person to be downloaded. The JAR, named with the same pattern as the ZIP file, contains the embedded payload. The payload is again RC4 encrypted. Interestingly enough the key is based on the hash of the victims IP. A snippet of this can be seen in the deobfuscated Java lines below:

For all instances the payload is the same: Ponmocup. Hashes for the two signed Java exploits seen being used:

8d7028a0a0bf1e98fe90b5c3abb19059 (IE10.jar)

caa4cbe00c30458198a05a0cddddc1cd (IE8.jar)

Hashes for samples we have seen (they are repackaged almost every time so this list will keep growing):

eb958d6e68cc635df16ade31227f0608 (bar__installer.exe)

bf1bd2fe9531224b619603cdaa575d61 (clickme__go.exe)

9fd575356db4dc48a7c9f99de4fc358d (daily_tool_.exe)

7b9f5ba2ef5a6b94a4380be66e08e33f (fixer__setup.exe)

aafa234b5db771d8df18c0f6719f264e (folder__auto.exe)

4888fafc13ad367954d96c0d913c316e (full_setup_.exe)

207c4ffd729c946ce261da6143c633fb (instant_runme_.exe)

6377d0a5bb8d183e8c3769016967f9fc (internet__auto.exe)

c9e180a512f226a4c9da30c11498bfcd (internet_setup_.exe)

2f30863d70dbfb119c4b7185f5f7023a (now_run_.exe)

0dce01b2e5b566fc23da6f5a42d4ab8c (private_www_relisound.exe)

78cf24f2f6beeb9e4b2cb051073af066 (pure__run.exe)

f5835ab4ed47f1525a8da75e5134d452 (total_relisound_www.exe)

244100de819e9943a1b76098a1f4d67a (video_install_.exe)

0f6280fce950601aca118be6312e0bfd (viewer_relisound_www.exe)

50d8bf638bd60c81de1790c2e0725a98 (windows__auto.exe)

Conclusion

The .htaccess compromise, Zuponcic and Ponmocup campaign have all been described seperately, but a connection has never been made between the three. From what we have seen it seems Ponmocup is behind this exploit kit as the only files ever seen being dropped from this are Ponmocup payloads. If you want to know more about Ponmocup, Tom Ueltschi has been investigating this botnet for a while now, read about it on his blog.

The amount of websites seen redirecting to this exploit kit is not as big as some of the others out there but what stands out are the ranking of these sites. They all have a lot of traffic and appear as the first domains for many frequently used search queries. This correlates with their method of redirecting for users only coming from the search engines.

Maarten van Dantzig, Yonathan Klijnsma & Barry Weymes, Security Specialists at Fox-IT