Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Neutrino EK via EITEST sends two variants of Ursnif A Comparison

0
0

Jul 21, 2016 by Analysis in EITEST

NOTES:

Over the past two days I have been monitoring a website compromised by the EITEST campaign pushing out what appears to be Ursnif via the Neutrino Exploit Kit. Ursnif is classified as data stealing malware. Below I will show you how the data is stolen and ex-filtrated to the command and control (C2) The traffic pattern has changed since I last saw Ursnif on May 25th 2016, when it was delivered via the Angler Exploit Kit. I also noticed how the traffic pattern and data ex-filtration has changed over the course of the day. I will show you the comparison of the data ex-filtration over the day.

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.

info@broadanalysis.com

PCAP file of the infection traffic:

2016-07-21-Neutrino-EK-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES RUN 2: 85.93.0.12 vredtyh.ml EITEST GATE 131.72.139.207 husqob.hb95cyjy.top Neutrino EK LANDING PAGE 54.243.185.251 constitution.org GET /usdeclar.txt Internet Connection Check 31.41.44.219 SSL Port 443 Command and Control POST INFECTION 198.105.254.228 absoluteconnected.ru POST INFECTION 198.105.254.228 tappropriations.ru POST INFECTION ASSOCIATED DOMAINS AND IP ADDRESSES RUN 1: 85.93.0.12 shkter.xyz EITEST GATE 131.72.139.203 kyy1vt.acnp65o2.top Neutrino EK LANDING PAGE 208.118.235.148 www.gnu.org GET /licenses/gpl.txt Internet Connection Check 198.105.254.228 rudoesnetworkthe.ru GET / POST INFECTION 198.105.254.228 thlicensecodelfcharge.ru GET / POST INFECTION 198.105.254.228 holydoesthegoverned.ru GET / POST INFECTION 198.105.254.228 foundationpropagation.ru GET / POST INFECTION 198.105.254.228 changebutresthaveyou.ru POST / DATA EX-FILTRATION 198.105.254.228 thlicensecodelfcharge.ru POST /- DATA EX-FILTRATION

On run 1 the data was ex-filtrated over HTTP via .bin files. On run 2 the data was seen being ex-filtrated over SSL encrypted port 443. Above you can see how the run 2 infection unsuccessfully tried to ex-filtrate stolen data to IP address 198.105.254.228 as was done on run 1.

IMAGES AND DETAILS OF INFECTION CHAIN:
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Traffic associated with the Neutrino exploit and Ursnif infection run 2
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Traffic associated with the Neutrino exploit and Ursnif infection from run 1
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Injected script found on compromised site associated with the EITEST campaign which redirects to the EITEST gate from run 2
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Script found on EITEST gate redirecting to the Neutrino Exploit Kit landing page from run 2
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Internet connection check used on run 2
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Internet connection check used on run 1
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: On May 25th 2016 you could see how Ursnif used nasa.gov to complete its internet check
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: On run 1 you can see how data was ex-filtrated from the compromised host over HTTP posting a .bin file containing stolen data to the command and control
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: You can see the comparison how Ursnif ex-filtrated the data on May 25th 2016 and the first run on July 21st 2016
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Later in the day on run 2 you could see how Ursnif attempted to connect to IP 198.105.254.228 but was unsuccessful. Ursnif then ex-filtrated its data via IP 31.41.44.219 over SSL port 443
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: Begin of post infection SSL data ex-filtration from run 2 POST INFECTION ARTIFACTS AND DATA EX-FILTRATION:
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: After the host is infected Ursnif creates .bin files where it stores stolen credentials and other information
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: After opening the .bin file with a text editor you could see the first 2 bytes contain the letters “PK”. PK is used in file headers associated with .ZIP files.
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: After renaming the file extension on 5AE8.bin to to .zip I was able to extract the above listed files.
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: After visiting bing.com and attempting to login with fictitious information, I returned to the .bin file to examine the files.
Neutrino EK via EITEST sends two variants of Ursnif   A Comparison
Shown above: After returning to the .bin file and again following the above process, with a text editor, I opened one of the files contained inside the .bin. As seen above Ursnif was able to capture the fictitious information used to login to bing.com

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:

2016-07-21-Neutrino-EK-run-1.swf
Virus Total Link 2016-07-21-Neutrino-EK-run-2.swf
Virus Total Link 2016-07-21-consserv.exe-run-1
C:\Users\%UserName%\AppData\Roaming\cmicmgmt\consserv.exe
Virus Total Link 2016-07-21-consserv.exe-run-2
C:\Users\%UserName%\AppData\Roaming\cmicmgmt\consserv.exe
Virus Total Link Tagged

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images