Razor Blades in the Candy Jar

FireEye Labs has been tracking exploit kit activity and recently identified several websites redirecting to the Sweet Orange Exploit Kit. Unsurprisingly, some of the sites used to redirect users are legitimate.

The Sweet Orange exploit kit is continuing to proliferate through malvertising and inserting malicious .js into legitimate website properties, many of which are in the Alexa top 1 million, increasing the likelihood of the average user stumbling upon them through browsing or web searches.

Cybercriminals are capitalizing on current events by targeting sites that serve areas afflicted with the Ebola virus; this is a pretty low blow as one can only imagine the potential for damage to computers used by aid workers or citizens who have limited resources as it is.

Screen Shot 2014-11-10 at 8.11.01 PM

 

Figure 1. Homepage for tlcafrica.com

TLCafrica.com is an online magazine for the citizens of the Nation of Liberia. The website has advisories and information on Ebola awareness, but unfortunately, unsuspecting visitors may have been exposed to a different kind of infection.

Figure 2

Figure 2. Sample HTML from homepage shows request for jsquery.js

Figure 3

Figure 3. Contents of jsquery.js returned by the site’s server

Figure 4

Figure 4. Sample contents of jsquery.js after formatting reveals next URL

After the initial page is loaded, jsquery.js loads and directs the browser to make an additional HTTP request to img.lakeforestparkhome[.]info.

Figure 5

Figure 5. Initial HTTP request to exploit kit

Figure 6

Figure 6. Encoded contents returned by exploit kit server

Figure 7

Figure 7. URL to landing page after decoding

The next URL is located at h.micagirl[.]net on TCP port 51439.

This host is at IP 185.22.233.136 and is answering requests for several different Sweet Orange domains as of this writing.

Figure 8

Figure 8. Info for 185.22.233.136 a/k/a micagirl.net

Figure 9

Figure 9. Next HTTP request fetches the exploit kit landing page on TCP 51439

Figure 10

Figure 10. Obfuscated contents of the exploit kit landing page

Figure 11

Figure 11. After formatting we can see more interesting strings

The landing page sets up the Jar file requests from a.micagirl[.]com on TCP port 51439. We’ve observed Sweet Orange frequently making requests for .jar and .jnlp files, as well as payloads on high non-standard TCP port numbers like this.

Figure 12

Figure 12. Jar file request made to a.micagirl[.]com on TCP 51439

Figure 13

Figure 13.  More example Jar file requests

The path to the Jar files would change with each visit to tlcAfrica.com, occasionally resulting in 404s.

Figure 14

Figure 14. Jar file requests from another visit to tlcAfrica.com

Both Jar files are the same and target CVE-2013-2460, which exploits the ProviderSkeleton class’s invoke method in Java.

MD5 of Jar files:

3xEcWl5iVnU860.jar = bd1c88831ea7b1c350f4fad68b7d30a9

Zi3cUbamwRWpbqC.jar = b72f2124334480875dcbc7acad21c957

Both Jars were not known to Virustotal and the names appear to remain the same across visits and even across different web sites.

We also observed a national health club chain whose website was compromised to redirect to the Sweet Orange Exploit Kit also using these same Jar files.

After loading the website's homepage, a request for a malicious /js is made, js-hov-int.js.

The contents again contain an encoded URL that sets up the chain of requests.

Figure 15-16

Figure 15. Request for malicious js file

Figure 16-17

Figure 16. Sample contents of js-hov-int.js without decoded URL

Figure 18-17

Figure 17. The now-familiar first request to exploit kit

Request is made to img.kirklandhouse[.]info, which resolves to 192.185.16.158.

Figure 18-17

Figure 18. Info for img.kirklandhouse[.]info

This all results in behind-the-scenes action that is identical to tlcafrica.com.

Figure 19-18

Figure 19. Sequence of HTTP requests made as a result of Sweet Orange

After the landing page, there are multiple Jar file requests, this time to a.micagirl[.]com on TCP 51439. Both Jar files exploit CVE-2013-2460.

Figure 20-19

Figure 20. First Jar file requested

Figure 21-20

Figure 21. Second Jar file download

Neither of the Jar files was on Virustotal at time of writing.

Each Jar file contains several class files inside, including one that is somewhat out of place without a .class extension.

The .mds file is same in both Jars; though named differently, they have the same md5 hash of 63ed372dfb99ba56ca6a087e4378d79d.

Figure 23-22

Figure 22. Snapshot of Jar file contents

The contents of the “.mds” files are highly obfuscated with junk characters. If we strip away the repeating “11151ECZD895” and “F11E11,” we are left with clear text

and the header becomes visible.

Figure 24-23

Figure 23. Sample before and after hex of hidden class file contents

The real md5 of the hidden class file is 1e35024186bc77970261d18b7b032c1d

It has a detection score of 11/54 on Virustotal.

Both versions of the files are known to Virustotal, with the obfuscated version having a detection score of 0, increasing the chances that the malicious .class file will be successfully downloaded hidden inside an innocuous-looking Jar file.

Figure 25-24

Figure 24. Virustotal detection ratios for the embedded class file before and after

Figure 26-25

Figure 25. Bytecode view of .mds class file

The Jar files result in requests being made to k.micagirl [.]com for a malware payload.

Normally we’d expect to see a clear text MZ header; however, in the case of Sweet Orange the downloads are encrypted, making detection much more difficult.

Figure 27-26

Figure 26. Payload download

ADDITIONAL INFORMATION

Active Domains:

Screen Shot 2014-11-10 at 8.52.00 PM

Sample Referer’s and Industries Affected:

Industries: Sports / College Athletics / NCAA Basketball

Referer: http://dukeupdate.com/

Host: cdn.jameswoodwardmusic.com

Industries: Science / Mathematics / News

Referer: http://www.stats.org/faq_vs.htm

Host: cdn2.movetoclarksville.com

Industries: Retail / Services / Legal Documents

Referer: http://www.8ws.org/meeting-minutes.htm

Host: cdn.movetoclarksville.com

Industries: Automotive / Motor Sports / Sports Entertainment

Referer: http://www.andrettiautosport.com/home.php

Host: cdn.movetoclarksville.com

Industries: Retail / Health & Fitness / Sports Nutrition

Referer: http://www.lonestardistribution.com/

Host: img.greenwoodhouse.info

Industries: Retail / Sports Equipment / Soccer

Referer: http://www.kwikgoal.com/category/22/6-1-2-X-18-1-2

Host: img.kirklandhouse.info

Industries: Social Issues / Low Income Housing

Referer: http://www.lisc.org/content/publications/detail/20597

Host: src.sheffieldwoods.org

For more info on Java vulnerabilities and exploit kits, FireEye Labs has a series of white papers available here and here.

Acknolwedgements

FireEye Labs would like to thank Varun Jain and Henry Bernabe for their research contributions to this blog.