K.I.A. - Kelihos Trojan/RedKit EK Exploiting Boston Marathon Attacks

Home/KIA/K.I.A. – Kelihos Trojan/RedKit EK Exploiting Boston Marathon Attacks
Kelihos Trojan RedKit EK Exploiting Boston Marathon Attacks

On the heels of national tragedies an unfortunate element that consistently arises now is exploitation of the tragedy often by cyber means. The Boston Marathon Bombing is no exception. On the morning of April 17, we noticed a strange entry in our cloud based Threat Data Server indicating possible exploit pack activity related to a web redirect from a URL ending in “boston.html”.  We found that in fact the Boston Marathon tragedy is being exploited to compromise curious users looking to see video of the Boston bombings. Java exploits of CVE-2013-0422 or CVE-2013-1493 URL’s are being used to implant the Kelihos Trojan likely using the RedKit exploit kit.

Invincea security consultant Eddie Mitchell in his latest KIA series blog provides a detailed analysis of the exploit below. Doing a bit of research on urlquery.net confirmed several other suspicious URL’s with this same pattern.  Some of the entries have been flagged by IDS signatures as being consistent with the RedKit exploit kit:

Image 1

Picking an entry at random, we browse to the copied URL with an Invincea protected web browser and Java 7 Update 10 in this example.  Immediately upon reaching the page, we can see that several videos related to the recent tragedy at the Boston Marathon have been embedded on the page (see below).  No doubt these links are used in spearphish campaigns and Search Engine Optimization (SEO) poisoning attacks designed to lure users to click on these links. A few moments later, Invincea identifies suspicious activity on the web page:

IMAGE 2

Clicking on the details link, it is clearly apparent that there is something very wrong with this website:

 

IMAGE 3

 

Specifically, the website dropped a number of executables then launched them in addition to setting up new network comms. In total nearly 200 changes to the virtual container Invincea sets up for the browser were identified and quarantined.

Once we click “Restore” to purge and rebuild the virtual environment, we pivot to the Threat Analyzer to review the details.  In addition to the massive number of recorded changes inside the virtual environment, we can see that the original URL contained several embedded Youtube videos relating to the Boston Marathon bombing, in addition to a redirect to a suspect domain (spareroomwebdesign[.]com):

IMAGE 4

 

Reviewing a network traffic capture of the attack in progress, we can clearly see an un-obfuscated iframe leading to the suspect page above:

 

IMAGE 5

 

Content of waiq.html shows an embedded Java applet exploiting CVE-2013-0422 or CVE-2013-1493 depending on the version of Java installed:

 

IMAGE 6

 

lbq.jar (md5: 0d45a1c9d94bb58fcdf241ec4a66c165) –

https://www.virustotal.com/en/file/cf9368494e68d878d349419ce9016b4985cfa6ea76236d1cd8465a5a48998bab/analysis/

Java downloading an XOR encoded payload (49.html):

 

IMAGE 7

 

Invincea shows two executables being written to disk in the %localappdata%Temp and subsequently launched:

 

IMAGE 8

 

duedm.exe (md5: b9bbe7749b434c7c5df5e4d203dc9331) – https://www.virustotal.com/en/file/764ba4764daae66093b3ca746e97ca3f9e054a317f3e53286698e521341f97c3/analysis/

npcci.exe (md5: 256a2ab30f6d7dcdcae008588df4ec8c) -
https://www.virustotal.com/en/file/93371e13ff4b3db752d65d2d17d8394f3d834e89eac9628b828fc76827ce5518/analysis/

Next, duedm.exe connects to 94[.]231[.]181[.]208 (ymvuchyq[.]ru) (a Russian domain) to download another executable (newbos3.exe).  Note the HTTP headers present in this transaction:

IMAGE 9

 

This executable is written to C:WindowsTemp as “Temp45.exe” and launched as a process.  As seen in Invincea:

IMAGE 10

temp45.exe (md5: fdbc94958b8f0ec2b24302c6d4685c46) –https://www.virustotal.com/en/file/560766fc73edf8eff02674a220e2794c008caeefc476c8fef04c21a16eb23a0f/analysis/

Registry entries created by temp45.exe are consistent with the Kelihos Trojan:

IMAGE 11

 

Full listing of network activity captured by Invincea:

 

IMAGE 12

Below is a sample of network traffic initiated by Kelihos to IP 46[.]219[.]27[.]5.  Note the obviously crafted user agent string:

IMAGE 13

 

In summary, the Boston Marathon tragedy is simply another opportunity for cyber miscreants to exploit people’s curiosity in order to compromise their machines and the networks they run on. Not surprisingly, they are exploiting Java vulnerabilities to install a remotely accessible Trojan. Based on the location of the command and control server we may conclude this is cyber crime driven, but further examination of the command and control network is necessary to be definitive.

Patching Java is immensely difficult for enterprises for legacy app compatibility reasons. This exploit shows the exposure of not patching Java. Deploying Invincea enterprise wide not only protects your network against user curiosity and this particular vile brand of exploitation, but also allows enterprises to continue to run unpatched Java without inheriting the risk associated with the Java vulnerabilities.

So what are you waiting for? Contact us for a free trial and browse fearlessly.

Leave a Comment