Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, March 06, 2013
Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise
Oops, they did it again!
The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.
Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.
Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php
Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.
Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php
Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188
Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen
test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)
Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info
Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com
More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181
The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php
Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise
Oops, they did it again!
The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.
Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.
Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php
Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.
Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php
Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188
Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen
test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)
Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info
Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com
More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181
The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php
Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking.
Tags:
Client-Side Exploits,
Client-Side Vulnerabilities,
Cybercrime,
Exploits,
Hacking,
Information Security,
NBC,
Security,
Vulnerabilities
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, March 04, 2013
Summarizing Webroot's Threat Blog Posts for February
The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:
01. Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware
02. Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware
03. ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
04. New DIY HTTP-based botnet tool spotted in the wild
05. Mobile spammers release DIY phone number harvesting tool
06. New underground service offers access to thousands of malware-infected hosts
07. Targeted ‘phone ring flooding’ attacks as a service going mainstream
08. Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
09. Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit
10. Malware propagates through localized Facebook Wall posts
11. Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware
12. New underground E-shop offers access to hundreds of hacked PayPal accounts
13. Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit
14. DIY malware cryptor as a Web service spotted in the wild
15. Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware
16. How mobile spammers verify the validity of harvested phone numbers
17. How much does it cost to buy 10,000 U.S.-based malware-infected hosts?
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)