Jul 21, 2016 by Analysis in EITEST
NOTES:Over the past two days I have been monitoring a website compromised by the EITEST campaign pushing out what appears to be Ursnif via the Neutrino Exploit Kit. Ursnif is classified as data stealing malware. Below I will show you how the data is stolen and ex-filtrated to the command and control (C2) The traffic pattern has changed since I last saw Ursnif on May 25th 2016, when it was delivered via the Angler Exploit Kit. I also noticed how the traffic pattern and data ex-filtration has changed over the course of the day. I will show you the comparison of the data ex-filtration over the day.
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:2016-07-21-Neutrino-EK-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES RUN 2: 126.96.36.199 vredtyh.ml EITEST GATE 188.8.131.52 husqob.hb95cyjy.top Neutrino EK LANDING PAGE 184.108.40.206 constitution.org GET /usdeclar.txt Internet Connection Check 220.127.116.11 SSL Port 443 Command and Control POST INFECTION 18.104.22.168 absoluteconnected.ru POST INFECTION 22.214.171.124 tappropriations.ru POST INFECTION ASSOCIATED DOMAINS AND IP ADDRESSES RUN 1: 126.96.36.199 shkter.xyz EITEST GATE 188.8.131.52 kyy1vt.acnp65o2.top Neutrino EK LANDING PAGE 184.108.40.206 www.gnu.org GET /licenses/gpl.txt Internet Connection Check 220.127.116.11 rudoesnetworkthe.ru GET / POST INFECTION 18.104.22.168 thlicensecodelfcharge.ru GET / POST INFECTION 22.214.171.124 holydoesthegoverned.ru GET / POST INFECTION 126.96.36.199 foundationpropagation.ru GET / POST INFECTION 188.8.131.52 changebutresthaveyou.ru POST / DATA EX-FILTRATION 184.108.40.206 thlicensecodelfcharge.ru POST /- DATA EX-FILTRATION
On run 1 the data was ex-filtrated over HTTP via .bin files. On run 2 the data was seen being ex-filtrated over SSL encrypted port 443. Above you can see how the run 2 infection unsuccessfully tried to ex-filtrate stolen data to IP address 220.127.116.11 as was done on run 1.IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Traffic associated with the Neutrino exploit and Ursnif infection run 2
Shown above: Traffic associated with the Neutrino exploit and Ursnif infection from run 1
Shown above: Injected script found on compromised site associated with the EITEST campaign which redirects to the EITEST gate from run 2
Shown above: Script found on EITEST gate redirecting to the Neutrino Exploit Kit landing page from run 2
Shown above: Internet connection check used on run 2
Shown above: Internet connection check used on run 1
Shown above: On May 25th 2016 you could see how Ursnif used nasa.gov to complete its internet check
Shown above: On run 1 you can see how data was ex-filtrated from the compromised host over HTTP posting a .bin file containing stolen data to the command and control
Shown above: You can see the comparison how Ursnif ex-filtrated the data on May 25th 2016 and the first run on July 21st 2016
Shown above: Later in the day on run 2 you could see how Ursnif attempted to connect to IP 18.104.22.168 but was unsuccessful. Ursnif then ex-filtrated its data via IP 22.214.171.124 over SSL port 443
Shown above: Begin of post infection SSL data ex-filtration from run 2 POST INFECTION ARTIFACTS AND DATA EX-FILTRATION:
Shown above: After the host is infected Ursnif creates .bin files where it stores stolen credentials and other information
Shown above: After opening the .bin file with a text editor you could see the first 2 bytes contain the letters “PK”. PK is used in file headers associated with .ZIP files.
Shown above: After renaming the file extension on 5AE8.bin to to .zip I was able to extract the above listed files.
Shown above: After visiting bing.com and attempting to login with fictitious information, I returned to the .bin file to examine the files.
Shown above: After returning to the .bin file and again following the above process, with a text editor, I opened one of the files contained inside the .bin. As seen above Ursnif was able to capture the fictitious information used to login to bing.com
MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EXPLOIT:2016-07-21-Neutrino-EK-run-1.swf
Virus Total Link 2016-07-21-Neutrino-EK-run-2.swf
Virus Total Link 2016-07-21-consserv.exe-run-1
Virus Total Link 2016-07-21-consserv.exe-run-2
Virus Total Link Tagged