Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Fiesta Exploit Kit: Live Infection

SAMEER PATIL

September 29, 2014 - 6 min read

Security Insights

Contents

Article
More blogs

During our daily hunt for Exploit Kits (EK), we came across many live Fiesta exploit chains.

The infection started from the following compromised domains:

orpi.com
soyentrepreneur.com
interfacelift.com

Compromised sites:

The attackers often leverage compromised sites to serve as the first level of redirection in the EK infection cycle. In the first Fiesta EK instance that we analyzed, the attacker after getting the root access has modified the “scripts.js” file present at location:

hxxp://www[.]media[.]orpi[.]com/js/scripts.js

All the pages importing this JavaScript file will redirect the user to "nvplus[.]com/wp-content/".

Another variation of the initial loading page redirection was observed in the compromised site “interfacelift[.]com” at the following location:

hxxp://interfacelift[.]com/wallpaper/downloads/date/any/

In this case the attacker added a

hxxp://sunduk[.]biz/forum/docs/

A third variation of the initial redirection was observed on the compromised site

"soyentrepreneur[.]com", where the attacker created a new JavaScript file “funcionesCarga.js” at the following locations:

hxxp://www[.]soyentrepreneur[.]com/assets/js/funcionesCarga.js
hxxp://www[.]soyentrepreneur[.]com/assets/js/se2013/funcionesCarga.js

The website pages importing these JavaScript files will redirect the user to the Fiesta loading site.

All three initial redirection methods are fairly stealth and can remain unnoticed for days to the web administrators. We found this approach to be more effective and completely opposite from a RIG EK compromise that we recently analyzed where the attacker changed the home page of the website to ensure redirection.

Fiesta EK:

Some of the recent live Fiesta EK loading sites found in the wild are:

nvplus[.]com/wp-content/
son-ko[.]com/scripts/bundles/login.php
sunduk[.]biz/forum/docs/login.php
toringaz[.]com/images/
barferoase[.]de/blog/wp-content/themes/
www.artlen[.]com/assets/cache/rss/
www.courieru[.]com/cache/joomsef/
www.roofstroy[.]com/stroy/js.php
ticketstolisbon[.]com/dumper/
cic.com[.]ua/dok/
talktyme[.]com/flash/

Apart from the usual EK redirection chain, it checks for the user's browser as well as presence of application plugins for Microsoft Silverlight and Adobe Flash.

It checks if Silverlight plugin is installed by creating the following ActiveXObject object:

ActiveXObject("AgControl.AgControl")

The presence of Flash plugin is ensured by creating the following object:

swfobject.embedSWF()

If both the above object creation functions generate an exception, then the exploit cycle terminates. But if the vulnerable versions are found, it takes the user to the EK landing page.

Redirection to Fiesta EK Landing page

Fiesta Landing Page:

Initially, the malicious Silverlight and Flash files are downloaded for which the plugin checks have already been performed.

AV detection for the downloaded malicious files:

rtu.swf: 2/55 (Generic Exploit)
rtp.xap: 2/54 (CVE-2013-0074)

Following this, the main controller of Fiesta EK is called. Example in one of the Fiesta EK instance we analyzed:

hxxp://hjwqk.ianlar[.]in/pofrj4l/1

It generates the following GET requests to the same domain during the course of the Exploit cycle:

· hxxp://hjwqk.ianlar[.]in/pofrj4l/321eabf3f523be344045575e50595404020b045e5500560806060006515a5e04;120000;0

· hxxp://hjwqk.ianlar[.]in/pofrj4l/6ea46961ad8578015717000f07020406075c540f025b060a0351505706010e06

· hxxp://hjwqk.ianlar[.]in/pofrj4l/7a77e441c530b7c15419520c540f06060658020c5156040a02550654550c0c06;1;2@@

· hxxp://hjwqk.ianlar[.]in/pofrj4l/1b88a025c530b7c1521a5d03500b0002005b0d035552020e0456095b51080a02;1;3@@

· hxxp://hjwqk.ianlar[.]in/pofrj4l/675e60f2d4cb58ae5c59595e070b5405070e005e025256090303040606085e05

· hxxp://hjwqk.ianlar[.]in/pofrj4l/2a78dd2dfa898b9d5b045b03555f0053035802035006025f0755065b545c0a53

· hxxp://hjwqk.ianlar[.]in/pofrj4l/33603690d9fdeed05f5a540b020d0b07020a030b0754090b06070753030e0107;900

· hxxp://hjwqk.ianlar[.]in/pofrj4l/2a7f53d52bfa0822410d415d040856020358025d0151540e07550605050b5c02;5061118

· hxxp://hjwqk.ianlar[.]in/pofrj4l/61295aeb0e3b886755415902045a575507080702010355590305035a05595d55;5;1

· hxxp://hjwqk.ianlar[.]in/pofrj4l/3bb805820e3b886750120903010e0a05025b5703045708090656535b000d0005;6;1

· hxxp://hjwqk.ianlar[.]in/pofrj4l/535c3355fb26fbd956435e5802080702040a00580751050e00070400030b5405;1;1

The Fiesta EK is performing the following exploitation attempts which are resulting in the multiple GET requests:

Adobe Flash

Checks if Adobe Flash is installed and gets the application version.
It then generates a GET request to fetch the run-time parameters for the previously downloaded SWF file "rtu.swf".
A sample object of type “application/x-shockwave-flash” with dynamic run-time parameters to run the exploit payload is created as shown below:

“

Microsoft Silverlight

Checks if Microsoft Silverlight is installed in browser and gets the application version.
It then generates a GET request to fetch the run-time parameters for the previously downloaded XAP file "rtp.xap".
A sample object of type "application/x-silverlight" with dynamic run-time parameters to run the exploit payload is created as shown below:

Java

Check if Java plugin is installed and enabled in the browser.
Downloads a malicious Java archive (JAR) based on the installed version:
- JAR File -> ianlar.jar: 4/55 (CVE-2012-1723)
It then generates a subsequent GET request to fetch parameter values required to execute the malicious JAR payload.
Creates a custom applet tag utilizing the run-time parameter values to run the exploit payload as seen below:

Adobe Reader

Checks for the presence of the Adobe Reader plugin.
Downloads and executes the malicious PDF file:
- PDF File -> Ianlar.pdf: 8/55

Post-Infection

Upon successful exploitation, Fiesta EK was observed installing a new variant of Zemot Trojan from the following location:

hxxp://warzine[.]su/b/shoe/54602

This is a well known Click-Fraud Botnet family which will soon start click-fraud activity on the victim machine, making money for the malware authors.

This Click-Fraud malware family appears to be connected to many other EKs in addition to Fiesta. Some of the domains involved in the Click-Fraud activity:

num-lnkd.com
syserty-war.com
turend-hureft.com
service-search.com
fifa-seargh.com
enjoy-result.com
oak-search.com
phantom-search.com
companies-search.com
calimera-search.com

The above domains were resolving to the following two servers located in Russia and Ukraine respectively:

46.161.41.220
192.162.19.34

A GET request to any of these domains look like this:

- Sameer Patil

Thank you for reading

Was this post useful?

Yes, very!

Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.