This is the first post of observation of and research into what I think is a newer version of the notorious NeoSploit exploit kit/pack.
First off, many thanks and appreciation to Darren who has mentored me at work and helped with the tracking and understanding of this and other packs. Thanks to Daryl at @kahusecurity for an excellent blog and detailed write-ups that one day I hope to approach. Thanks also to the Emerging Threats community on producing a signature to catch this pack and all of the other great contributions they have too!
My introduction to this Exploit Pack occurred after a system showed up being served what I believed was a second malicious payload via Java directly from an IP rather than a domain. Digging through the interaction I found evidence of a pack I have never seen before which had flown undetected "under the radar" and thus the hunt began. Looking at the interaction with the kit I quickly realised why it came undetected, the majority of the process was obfuscated from the domain name to the URI query.
Below is an example with information like the http status code, content type, and bytes(out/in) plus the URL structure.
200 text/html 482:16466 GET hxxp://pboysxaj.co.tv/7aoptmzxwahwllhr/
302 text/html 692:365 GET hxxp://pboysxaj.co.tv/b1e346d3ca0b910ebf905deac0f9b8938176zxw
200 text/html 664:23214 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?3
200 application/x-shockwave-flash 543:1706 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?04ee3e0fab7472aa4343035e02570750050c5e5c0a5c0b57030452500451045f03
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 272:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 384:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 384:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 text/plain 281:8036 GET hxxp://91.226.78.47/shrgr.class
302 188:2391 GET hxxp://91.226.78.47/shrgr.class
302 338:2643 GET hxxp://91.226.78.47/shrgr.class
302 363:2528 GET hxxp://91.226.78.47/shrgr.class
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 427:4289 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
200 application/octet-stream 427:3862 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 449:871884 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?0a5864250d480b96551950030706050305590e010f0d09040351020d0100060c03;1;6
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4a7109d554a1854e5e155a0a010b530301590c0809005f0407510004070d500c07
302 336:2615 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?4d07c159b49b5ccf5e05420c5203020f015c0b0e5a080e08075407025405010007
200 application/octet-stream 352:952128 GET hxxp://pboysxaj.co.tv/5cm1zrkq/?7fd0e2bb0d480b96521e010b54005554025e5f095c0b5953045653055206565b04;1;8
I will be adding further analysis/assumptions as "NeoSploit" #2.
Please check back here and as I add more posts, and as I asked on twitter please comment and provide feedback and information if you've seen this pack before!
-Paul @demon117
*DISCLAIMER* These are malicious sites, they may still be active and if so are Extremely dangerous. I have tried to make it so the links will not work, but still handle with care! If you visit them it's on your own accord and not mine. */DISCLAIMER*
Good start.
ReplyDelete