Jul 21, 2016 by Analysis in EITEST
NOTES:
Over the past two days I have been monitoring a website compromised by the EITEST campaign pushing out what appears to be Ursnif via the Neutrino Exploit Kit. Ursnif is classified as data stealing malware. Below I will show you how the data is stolen and ex-filtrated to the command and control (C2) The traffic pattern has changed since I last saw Ursnif on May 25th 2016, when it was delivered via the Angler Exploit Kit. I also noticed how the traffic pattern and data ex-filtration has changed over the course of the day. I will show you the comparison of the data ex-filtration over the day.I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-07-21-Neutrino-EK-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES RUN 2: 85.93.0.12 vredtyh.ml EITEST GATE 131.72.139.207 husqob.hb95cyjy.top Neutrino EK LANDING PAGE 54.243.185.251 constitution.org GET /usdeclar.txt Internet Connection Check 31.41.44.219 SSL Port 443 Command and Control POST INFECTION 198.105.254.228 absoluteconnected.ru POST INFECTION 198.105.254.228 tappropriations.ru POST INFECTION ASSOCIATED DOMAINS AND IP ADDRESSES RUN 1: 85.93.0.12 shkter.xyz EITEST GATE 131.72.139.203 kyy1vt.acnp65o2.top Neutrino EK LANDING PAGE 208.118.235.148 www.gnu.org GET /licenses/gpl.txt Internet Connection Check 198.105.254.228 rudoesnetworkthe.ru GET / POST INFECTION 198.105.254.228 thlicensecodelfcharge.ru GET / POST INFECTION 198.105.254.228 holydoesthegoverned.ru GET / POST INFECTION 198.105.254.228 foundationpropagation.ru GET / POST INFECTION 198.105.254.228 changebutresthaveyou.ru POST / DATA EX-FILTRATION 198.105.254.228 thlicensecodelfcharge.ru POST /- DATA EX-FILTRATIONOn run 1 the data was ex-filtrated over HTTP via .bin files. On run 2 the data was seen being ex-filtrated over SSL encrypted port 443. Above you can see how the run 2 infection unsuccessfully tried to ex-filtrate stolen data to IP address 198.105.254.228 as was done on run 1.
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Traffic associated with the Neutrino exploit and Ursnif infection run 2
Shown above: Traffic associated with the Neutrino exploit and Ursnif infection from run 1
Shown above: Injected script found on compromised site associated with the EITEST campaign which redirects to the EITEST gate from run 2
Shown above: Script found on EITEST gate redirecting to the Neutrino Exploit Kit landing page from run 2
Shown above: Internet connection check used on run 2
Shown above: Internet connection check used on run 1
Shown above: On May 25th 2016 you could see how Ursnif used nasa.gov to complete its internet check
Shown above: On run 1 you can see how data was ex-filtrated from the compromised host over HTTP posting a .bin file containing stolen data to the command and control
Shown above: You can see the comparison how Ursnif ex-filtrated the data on May 25th 2016 and the first run on July 21st 2016
Shown above: Later in the day on run 2 you could see how Ursnif attempted to connect to IP 198.105.254.228 but was unsuccessful. Ursnif then ex-filtrated its data via IP 31.41.44.219 over SSL port 443
Shown above: Begin of post infection SSL data ex-filtration from run 2 POST INFECTION ARTIFACTS AND DATA EX-FILTRATION:
Shown above: After the host is infected Ursnif creates .bin files where it stores stolen credentials and other information
Shown above: After opening the .bin file with a text editor you could see the first 2 bytes contain the letters “PK”. PK is used in file headers associated with .ZIP files.
Shown above: After renaming the file extension on 5AE8.bin to to .zip I was able to extract the above listed files.
Shown above: After visiting bing.com and attempting to login with fictitious information, I returned to the .bin file to examine the files.
Shown above: After returning to the .bin file and again following the above process, with a text editor, I opened one of the files contained inside the .bin. As seen above Ursnif was able to capture the fictitious information used to login to bing.com
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:
2016-07-21-Neutrino-EK-run-1.swfVirus Total Link 2016-07-21-Neutrino-EK-run-2.swf
Virus Total Link 2016-07-21-consserv.exe-run-1
C:\Users\%UserName%\AppData\Roaming\cmicmgmt\consserv.exe
Virus Total Link 2016-07-21-consserv.exe-run-2
C:\Users\%UserName%\AppData\Roaming\cmicmgmt\consserv.exe
Virus Total Link Tagged