Cyphort Labs recently discovered that a leading Israeli think tank, the Jerusalem Center For Public Affairs (JCPA) on Israeli Security is serving Sweet-Orange exploit kit, a “Drive-by” Trojan with the potential to infect the computer of anyone who visits the site. We believe that bad actors compromised think tank account to inject the site with web exploits. The initial dropper is a version of QBot malware.

 

Cyphort Labs has been discovering many infected websites on a daily basis. However, Israeli organizations are often known to have better security postures. This infection should serve as yet another wake-up call to website owners that there is “No Untouchable” when it comes falling victim of an infection. Implementing the best practice of Continuous Monitoring and Mitigation is a promising safe start.
Here is what the infection chain looks like:

  • hxxp://jcpa.org/ (198.1.101.123)
  • hxxp://jcpa.org/wp-includes/js/jquery/jquery.js?ver=1.11.0 (198.1.101.123)
  • hxxp://cdn.jameswoodwardmusic.com/k?t=[random] (192.185.16.158)
  • hxxp://cdn3.thecritico.com:16122/clickheat/stargalaxy.php?nebula=3 (95.163.121.188)
  • hxxp://cdn3.thecritico.com:16122/clickheat/Fqxzdh.jar
  • hxxp://cdn3.thecritico.com:16122/clickheat/cnJzjx.jar
  • hxxp://cdn5.thecritico.mx:16122/cars.php?teen=271&……&investor=379 (95.163.121.188)
 

This is a view from the sequence of the HTTP sessions leading to the dropper download:  sweet-orange-1As per “Malware Traffic Analysis” blog, similar infection chain is seen from www.techo-bloc.com too. In both the cases, the Javascript file in the compromised server is modified to serve the exploit kit. The initial redirection server 192.185.16.158 has been used widely in recent web infections. It appears to be a website hosting server and belongs to the company HOSTGATOR according to the recent DomainTools lookup. Various domains of innocent users from music industry and law firms are used as “redirection” link in the infection chain. The target exploit server (95.163.121.188) is hosted in Russia. This is a sinkhole that is connected to many such varying domain names. All of these names have some substring “cdn” in them. Once the bad actors get access to an account/server they just create a corresponding “cdn” domain entry under that domain and use it to point to the target exploit server. This way they can bypass a lot of the URL categorization and URL blacklisting technologies.

 

For those of you looking to see “scripts”, here are some more details.

 

The home page of jcpa.org is injected with a malicious jquery.js file:

 

sweet-orange-2

 

The jquery.js is obfuscated using multiple techniques. Looking into the de-obfuscated code, it receives the target exploit kit server URL from another domain:

 

sweet-orange-3

 

The target exploit kit server URL is delivered from cdn.jameswoodwardmusic.com and it is in obfuscated form:

 

sweet-orange-4

 

The injected jquery de-obfuscates the above URL string as shown below:

 

sweet-orange-5The initial obfuscated exploit code (cdn3.thecritico.com:16122/clickheat/stargalaxy.php?nebula=3):

 

sweet-orange-6De-obfuscating this code gives the final JS code to launch various exploits:

  1. Java exploits
  2. IE exploit
 

The final dropper is downloaded in encrypted form and decrypted in-memory (key: investor) and written to disk. This exploit kit served two (Qbot) binaries with same hash (MD5: 4ff506fe8b390478524477503a76f91a). Encrypted binary transfer is done to hide it from signature-based network security devices such as IPS or AV gateways.

 

sweet-orange-7

 

The original filename of the final dropper is “todateMediator.exe”. This binary had debug information that linked to the pdb file. Looking at the names of the project / pdb file, we can expect an updated version from the same actor. The dropper is a “self-modifying” binary that decompresses the final code from one of its sections using RTLDecompressbufer() and replaces its own executable section. This sample has some anti-vm , and anti-av features built in:

 

sweet-orange-8

Summary of our findings about this malware behavior:

  • Drops the following files:
    • %appdata%\Microsoft\{random folder}\{random filename}.exe – copy of itself
    • %appdata%\Microsoft\{random folder}\{random filename}.dll – contains encrypted data
  • Adds a run entry for the copied file
  • Injects code into explorer.exe and passes the newly copied file path to injected code.
  • Executes the copied executable
    • It is also looking for a .dll file in its own directory. (It tried to read from it)
  • It also registers itself as a service with display name:
    • Remote Procedure Call (RPC) Service
  • Collected these information from machine:C&C server 85.114.135.19:8080
    • Installed date
    • Machine name
    • Product id
  • C&C server 85.114.135.19:8080 

Interestingly this binary has a link to an flv file for a “Wheat Thins” Ad, maybe some monetization does not hurt: (hxxp://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_16474/INSTREAMAD/KRWT0565H_Chili_Pot_Non-New.flv)

 

It blocks the user from accessing various AV vendor websites. Login credentials are stolen for following websites or websites with particular URL pattern:

  • blilk.com
  • bankeft.com
  • cmol.bbt.com
  • securentrycorp.zionsbank.com
  • tmcb.zionsbank.com
  • .web-access.com
  • nj00-wcm
  • commercial.bnc.ca
  • /clkccm/
  • paylinks.cunet.org
  • e-facts.org
  • accessonline.abnamro.com
  • providentnjolb.com
  • firstmeritib.com
  • corporatebanking
  • firstmeritib.com/defaultcorp.aspx
  • e-moneyger.com
  • jsp/mainWeb.jsp
  • svbconnect.com
  • premierview.membersunited.org
  • each.bremer.com
  • iris.sovereignbank.com
  • /wires/
  • paylinks.cunet.org
  • securentrycorp.amegybank.com
  • businessbankingcenter.synovus.com
  • businessinternetbanking.synovus.com
  • ocm.suntrust.com
  • otm.suntrust.com
  • cashproonline.bankofamerica.com
  • singlepoint.usbank.com
  • netconnect.bokf.com
  • business-eb.ibanking-services.com
  • cashproonline.bankofamerica.com
  • /cashplus/
  • ebanking-services.com
  • /cashman/
  • web-cashplus.com
  • treas-mgt.frostbank.com
  • business-eb.ibanking-services.com
  • treasury.pncbank.com
  • access.jpmorgan.com
  • tssportal.jpmorgan.com
  • ktt.key.com
  • onlineserv/CM
  • premierview.membersunited.org
  • directline4biz.com
  • .webcashmgmt.com
  • tmconnectweb
  • moneymanagergps.com
  • ibc.klikbca.com
  • directpay.wellsfargo.com
  • express.53.com
  • ctm.53.com
  • itreasury.regions.com
  • itreasurypr.regions.com
  • cpw-achweb.bankofamerica.com
  • businessaccess.citibank.citigroup.com
  • businessonline.huntington.com
  • /cmserver/
  • goldleafach.com
  • iachwellsprod.wellsfargo.com
  • achbatchlisting
  • /achupload
  • commercial2.wachovia.com
  • commercial3.wachovia.com
  • commercial4.wachovia.com
  • wc.wachovia.com
  • commercial.wachovia.com
  • wcp.wachovia.com
  • chsec.wellsfargo.com
  • wellsoffice.wellsfargo.com
  • /ibws/
  • /stbcorp/
  • /payments/ach
  • trz.tranzact.org
  • /wiret
  • /payments/ach
  • cbs.firstcitizensonline.com
  • /corpach/
  • scotiaconnect.scotiabank.com
  • webexpress.tdbank.com
  • businessonline.tdbank.com
  • /wcmpw/
  • /wcmpr/
  • /wcmtr/
  • tcfexpressbusiness.com
  • trz.tranzact.org

Call ecosystem actions: We are seeing more of such infections in the wild.When it comes to protecting your websites or your personal endpoint devices, there is “No Untouchable” to criminal actors. Any website can be a victim and then without even knowing it turn into an unwilling infecting website; an innocent music domain can be leveraged to redirect web surfers without detection if domain-subdomain ownership is not strictly enforced; any Internet users can get infected if they step into the infection chain without proper protection. From individuals to website owners, to hosting providers, best practice of Continuous Monitoring and Mitigation is a promising safe start.

 

I thank my colleagues Palaniyappan Bala and Paul Kimayong for help in the analysis.