Wednesday, September 18, 2013
Dissecting FireEye's Career Web Site Compromise
Remember when back in 2010, I established a direct connection between several mass Wordpress blogs compromise campaigns, with the campaign behind the compromised Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to redirect all the campaign traffic to my Blogger profile?
It appears that the cybercriminal/gang of cybercriminals behind these mass Web site compromise campaigns is/are not just still in business, but also -- Long Tail of the malicious Web -- managed to infect FireEye' (external network) Careers Web Site.
Let's dissect the campaign, expose the malicious domains portfolio behind it, provide MD5s for a sample exploit, the dropped malware, and connect it to related malicious campaigns, all of which continue to share the same malicious infrastructure.
Sample redirection chain:
hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jump/ (220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?updnew (CHROME) -> hxxp://188.8.131.52/591918d6c2e8ce3f53ed8b93fb0735cd/face-book.php
Detection rate for a sample malicious script found on the client-side exploits serving site:
MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic-js.iacgm
Sample detection rate for the served client-side exploit:
MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR_JAVA.EXEC
Detection rate for a sample dropped malware:
MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C
The following malicious MD5s are known to have been downloaded from the same IPs (cdn.adsbarscipt.com (184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124):
Additionally, the campaign is also known to have dropped MD5: 01771c3500a5b1543f4fb43945337c7d
Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) phones back to the following C&C servers:
main-firewalls.com (126.96.36.199; 188.8.131.52; 184.108.40.206) - Email: firstname.lastname@example.org
simple-cdn-node.com (220.127.116.11) - Email: email@example.com
Deja vu! We've already seen firstname.lastname@example.org in Network Solution's (2010) mass Wordpress blogs compromise, a campaign which is also directly connected with the compromise of the Web site of the U.S Treasury.
The sample also attempts to download the following additional malware variants:
simple-cdn-node.com/1.exe - MD5: 05d003a374a29c9c2bbc250dd5c56d7c
Responding to 18.104.22.168 are also the following malicious domains:
The following malicious MD5s are also known to have phoned back to the same IP (22.214.171.124) in the past:
Responding to 126.96.36.199 are also the following malicious domains:
The following malicious MD5s are also known to have phoned back to the same IP (188.8.131.52) in the past:
Such type of factual attribution based on gathered historical OSINT, isn't surprising, thanks to the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the "usual suspects" continue operating for the sake of achieving their fraudulent and malicious objectives.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.