FireEye Labs has been tracking exploit kit activity and recently identified several websites redirecting to the Sweet Orange Exploit Kit. Unsurprisingly, some of the sites used to redirect users are legitimate.
The Sweet Orange exploit kit is continuing to proliferate through malvertising and inserting malicious .js into legitimate website properties, many of which are in the Alexa top 1 million, increasing the likelihood of the average user stumbling upon them through browsing or web searches.
Cybercriminals are capitalizing on current events by targeting sites that serve areas afflicted with the Ebola virus; this is a pretty low blow as one can only imagine the potential for damage to computers used by aid workers or citizens who have limited resources as it is.
Figure 1. Homepage for tlcafrica.com
TLCafrica.com is an online magazine for the citizens of the Nation of Liberia. The website has advisories and information on Ebola awareness, but unfortunately, unsuspecting visitors may have been exposed to a different kind of infection.
Figure 2. Sample HTML from homepage shows request for jsquery.js
Figure 3. Contents of jsquery.js returned by the site’s server
Figure 4. Sample contents of jsquery.js after formatting reveals next URL
After the initial page is loaded, jsquery.js loads and directs the browser to make an additional HTTP request to img.lakeforestparkhome[.]info.
Figure 5. Initial HTTP request to exploit kit
Figure 6. Encoded contents returned by exploit kit server
Figure 7. URL to landing page after decoding
The next URL is located at h.micagirl[.]net on TCP port 51439.
This host is at IP 220.127.116.11 and is answering requests for several different Sweet Orange domains as of this writing.
Figure 8. Info for 18.104.22.168 a/k/a micagirl.net
Figure 9. Next HTTP request fetches the exploit kit landing page on TCP 51439
Figure 10. Obfuscated contents of the exploit kit landing page
Figure 11. After formatting we can see more interesting strings
The landing page sets up the Jar file requests from a.micagirl[.]com on TCP port 51439. We’ve observed Sweet Orange frequently making requests for .jar and .jnlp files, as well as payloads on high non-standard TCP port numbers like this.
Figure 12. Jar file request made to a.micagirl[.]com on TCP 51439
Figure 13. More example Jar file requests
The path to the Jar files would change with each visit to tlcAfrica.com, occasionally resulting in 404s.
Figure 14. Jar file requests from another visit to tlcAfrica.com
Both Jar files are the same and target CVE-2013-2460, which exploits the ProviderSkeleton class’s invoke method in Java.
MD5 of Jar files:
3xEcWl5iVnU860.jar = bd1c88831ea7b1c350f4fad68b7d30a9
Zi3cUbamwRWpbqC.jar = b72f2124334480875dcbc7acad21c957
Both Jars were not known to Virustotal and the names appear to remain the same across visits and even across different web sites.
We also observed a national health club chain whose website was compromised to redirect to the Sweet Orange Exploit Kit also using these same Jar files.
After loading the website's homepage, a request for a malicious /js is made, js-hov-int.js.
The contents again contain an encoded URL that sets up the chain of requests.
Figure 15. Request for malicious js file
Figure 16. Sample contents of js-hov-int.js without decoded URL
Figure 17. The now-familiar first request to exploit kit
Request is made to img.kirklandhouse[.]info, which resolves to 22.214.171.124.
Figure 18. Info for img.kirklandhouse[.]info
This all results in behind-the-scenes action that is identical to tlcafrica.com.
Figure 19. Sequence of HTTP requests made as a result of Sweet Orange
After the landing page, there are multiple Jar file requests, this time to a.micagirl[.]com on TCP 51439. Both Jar files exploit CVE-2013-2460.
Figure 20. First Jar file requested
Figure 21. Second Jar file download
Neither of the Jar files was on Virustotal at time of writing.
Each Jar file contains several class files inside, including one that is somewhat out of place without a .class extension.
The .mds file is same in both Jars; though named differently, they have the same md5 hash of 63ed372dfb99ba56ca6a087e4378d79d.
Figure 22. Snapshot of Jar file contents
and the header becomes visible.
Figure 23. Sample before and after hex of hidden class file contents
The real md5 of the hidden class file is 1e35024186bc77970261d18b7b032c1d
It has a detection score of 11/54 on Virustotal.
Both versions of the files are known to Virustotal, with the obfuscated version having a detection score of 0, increasing the chances that the malicious .class file will be successfully downloaded hidden inside an innocuous-looking Jar file.
Figure 24. Virustotal detection ratios for the embedded class file before and after
Figure 25. Bytecode view of .mds class file
The Jar files result in requests being made to k.micagirl [.]com for a malware payload.
Normally we’d expect to see a clear text MZ header; however, in the case of Sweet Orange the downloads are encrypted, making detection much more difficult.
Figure 26. Payload download
Sample Referer’s and Industries Affected:
Industries: Sports / College Athletics / NCAA Basketball
Industries: Science / Mathematics / News
Industries: Retail / Services / Legal Documents
Industries: Automotive / Motor Sports / Sports Entertainment
Industries: Retail / Health & Fitness / Sports Nutrition
Industries: Retail / Sports Equipment / Soccer
Industries: Social Issues / Low Income Housing
For more info on Java vulnerabilities and exploit kits, FireEye Labs has a series of white papers available here and here.
FireEye Labs would like to thank Varun Jain and Henry Bernabe for their research contributions to this blog.