SANS ISC: Internet Security | DShield

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Introduction

I've often had a hard time finding compromised websites to kick off an infection chain for the Neutrino exploit kit (EK).  During the past few months, we've usually seen Angler EK, Nuclear EK, or Rig EK instead.  But the situation changed by Wednesday 2015-08-19.  Earlier this week, we stopped finding as much Angler EK and started seeing a lot more traffic for Neutrino.

Our preliminary analysis indicates the actor behind a significant amount of Angler EK during recent months switched to Neutrino EK sometime this week.  We don't have enough data to know if this change is permanent.

This diary presents our preliminary analysis, and it looks at current URL patterns for Neutrino EK.  In this analysis, we examine changes in two infection chains kicked off by the same compromised website.  The same site that led to Angler EK last week is now causing Neutrino EK.

Preliminary results

The first traffic example from Thursday 2015-08-13 has Angler EK.  The second example from the same compromised website on Wednesday 2015-08-19 has Neutrino EK.

Similarities in the traffic indicate these were caused by the same actor.  In this comparison, two notable similarities were found:

1) Pages from this compromised website had the same injected code, but the iframe changed from an Angler EK landing URL to Neutrino EK.

2) Each time, the payload was CryptoWall 3.0 using 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as the bitcoin address for ransom payment.

I noticed this in a few other compromised websites that led to Angler EK traffic last week.  Most of them pointed to Neutrino when I checked within the past 24 hours.

Details

We used a compromised website named actionasia.com for this comparison.

EK traffic normally requires a referrer, and Google did not let us get to actionasia.com from its search results.  I had to get at the compromised website from a Bing search.  If Bing gives you a warning, it also gives you the option to proceed to the compromised site.  Google will not.

On Thursday 2015-08-13, this website had injected code with an iframe leading to Angler EK [1].  Six days later on Wednesday 2015-08-19, this website showed the same pattern of injected code, but the iframe pointed to a URL for Neutrino EK.  See the below images for comparison.

Shown above: Injected script with an iframe pointing to an Angler EK landing page.

Shown above: Same style of injected script 6 days later, this time pointing to Neutrino EK.

Post infection traffic in both cases reveals a CryptoWall 3.0 infection.  When checking the decrypt instructions for the ransom payment, the more recent CryptoWall 3.0 sample from Neutrino EK used the same bitcoin address as the Angler EK payload on 2015-08-13.  This is the same bitcoin address used by several CryptoWall 3.0 samples from Angler EK going back as early as 2015-07-01 [2].

Shown above: Bitcoin address from the CryptoWall 3.0 decrypt instructions on 2015-08-19 after the Neutrino EK infection.

Neutrino EK traffic

Infection traffic from Wednesday 2015-08-19 shows Neutrino EK on 185.44.105.7 over TCP port 3712.  Current URL patterns for Neutrino EK have evolved somewhat since it reappeared in December 2014 after a hiatus of several months [3].  These changes in Neutrino are relatively recent.  The EK's URLs are generally shorter than last month, and they show different patterns.

People have asked me why Neutrino EK uses a non-standard TCP port for its HTTP traffic.  I can only guess it's an attempt to avoid detection.

Shown above: Wireshark filtered to show URL patterns for Neutrino EK from the 2015-08-19 infection.

Below are images from the TCP streams for Neutrino EK on Wednesday 2015-08-19:

Shown above: Neutrino EK landing page.

Shown above: Neutrino EK sends a Flash exploit.

Shown above: Neutrino EK sends the malware payload, a CryptoWall 3.0 executable (encrypted).

A link to the Hybrid-Analysis.com report for the decrypted payload (CryptoWall 3.0) is here.  Below is a list of domains and HTTP requests from the pcap related to Neutrino EK sending CryptoWall 3.0:

Associated domains:

• actionasia.com - Compromised website
• 185.44.105.7 port 3712 - obvpd.mohgroup.xyz:3712 - Neutrino EK
• ip-addr.es - address check by CryptoWall 3.0 (not inherently malicious)
• 172.246.241.236 port 80 - grizzlysts.com - CryptoWall 3.0 callback traffic
• 46.108.156.176 port 80 - 6i3cb6owitcouepv.spatopayforwin.com - User checking the decrypt instructions

Traffic:

• 2015-08-19 16:40:07 UTC - actionasia.com - GET /
• 2015-08-19 16:40:13 UTC - obvpd.mohgroup.xyz:3712 - GET /bleed/fasten-22739002
• 2015-08-19 16:40:13 UTC - obvpd.mohgroup.xyz:3712 - GET /1998/06/02/audience/abandon/debate/hiss-happy-shore-enemy.html
• 2015-08-19 16:40:15 UTC - obvpd.mohgroup.xyz:3712 - GET /observation/d2V0cGNsaGtuYw
• 2015-08-19 16:40:18 UTC - obvpd.mohgroup.xyz:3712 - GET /dale/aHB0a2Vj
• 2015-08-19 16:40:22 UTC - ip-addr.es - GET /
• 2015-08-19 16:40:25 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?x=nyg80cl4x4
• 2015-08-19 16:40:27 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?z=7gh5okukgq5qtw
• 2015-08-19 16:40:31 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?t=d8limjgdeqca
• 2015-08-19 16:40:40 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?u=5cbq0udpvsjx
• 2015-08-19 16:40:45 UTC - 6i3cb6owitcouepv.spatopayforwin.com - GET /[random string]

Snort-based alerts on the traffic

I tried reading the pcap with the latest version of Snort (2.9.7.5) on a Debian 7 host using the snort registered rule set.  The subscriber rule set is more up-to-date, but the registered rule set is free.  Make sure to use pulledpork for keeping your rules up-to-date.  My results show alerts for CryptoWall during the post-infection traffic, and we also find an alert incorrectly identifying one of the EK URLs as Sweet Orange.  See the images below for details.

I also played back the pcap on Security Onion using Suricata and the EmergingThreats (ET) open rule set.  Like the snort registered rule set, the ET open rule set is free.  Remember to run sudo /usr/bin/rule-update to make sure your rules are up-to-date.  The results show alerts for Neutrino EK using signatures from earlier this month.  We also find alerts for CryptoWall 3.0.  See the images below for details.

Final words

If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic.  However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this.   We will continue to monitor the threat landscape and let the community know of any significant changes.

Traffic and malware from the analysis are listed below:

• Pcap and malware from the Thursday 2015-08-13 Angler EK infection is available here.
• A pcap of the Neutrino EK traffic from Wednesday 2015-08-19 is available here.
• ​A zip archive containing the Neutrino EK flash exploit and malware payload (CryptoWall 3.0) is available here.

The zip archive is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2015/08/13/index.html
[2] https://isc.sans.edu/diary/Another+example+of+Angler+exploit+kit+pushing+CryptoWall+30/19863/
[3] https://isc.sans.edu/diary/Exploit+Kit+Evolution+Neutrino/19283