Normal view

There are new articles available, click to refresh the page.
Before yesterdayMDNC | Malware don’t need Coffee

Choose Again.

By: Kafeine
28 February 2020 at 13:50

This is the last post/activity you’ll see on MDNC.

I have now chosen to bring the MDNC (Blog/Kafeine/MISP) project to an end.
Thanks to those who helped me during this incredible 8 years journey.

The blog and twitter account will stay up (but inactive) for the records.
The MDNC MISP instance will be shut down in several weeks.

‘Choose again.’ said Aenea. ‘Dan Simmons, The Rise of Endymion‘

That’s all Folks!

CVE-2018-15982 (Flash Player up to and Exploit Kits

By: Kafeine
16 January 2019 at 13:50

The CVE-2018-15982 is a bug that allows remote code execution in Flash Player up to, spotted in the wild as a 0day. Patched on December 05, 2018 with APSB18-42.


Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes




Figure 4: Fallout exploiting CVE-2018-15982 on Windows 7 - 2019-01-16

Files: Fiddler on VT - Pcap on VT

Associated Advert underground:

Итак! Тяжкие работы по восстановлению всей инфраструктуры связки закончены, были проведены тесты и в данный момент связка работает в полном объеме. Также были произведены множество правок и изменений.


  1. Увеличена производительность
  2. Полностью переработан механизм обфускации кода и генерации лэндинга.
  3. Убран CVE-2018-8373 на переработку. В данный момент сплоит ведет себя не стабильно.
  4. Добавлен новый флеш сплоит CVE-2018-15982.
  5. Для запуска повершелл в шеллкод добавлен код отключения AMSI
  6. Кучка мелких правок


В данный момент при проверке отстука софта со связки было выявлено:

  1. Отстук EXE на уровне 80-90%
  2. Отстук PowerShell на уровне 95-100%

Translated by google as:

So! The hard work on the restoration of the entire infrastructure of the bundle was completed, tests were carried out and at the moment the bundle is working in full. There have also been many edits and changes.


  1. Increased performance
  2. The code obfuscation and landing generation mechanism has been completely redesigned.
  3. Removed CVE-2018-8373 for recycling. At the moment, the flow rate is not stable.
  4. Added new flash sploit CVE-2018-15982.
  5. To launch Powershell, the disable code AMSI is added to the shellcode
  6. A bunch of minor edits

CHANGED PRICE POLICY Week 400 $ Month $ 1300

At the moment, when checking the otstuk software from the bundle, it was revealed:

  1. Otstuk EXE level 80-90%
  2. Otstuk PowerShell at the level of 95-100%
IOC Type Comment Date
payformyattention[.]site|51.15.35[.]154 domain|IP Fallout EK 2019-01-16
whereismyteam[.]press|51.15.111[.]159 domain|IP Fallout EK 2019-01-16
bd31d8f5f7d0f68222517afc54f85da9d305e63a2ff639c6c535e082de13dede SHA-256 GandCrab Ransomware 2019-01-16


2019-03-06 Appears to be a new Exploit Kit which has some similarities with “SPL EK”. (CVE-2018-8174 has been spotted there as well)


Figure 4: Spelevo exploiting CVE-2018-15982 on Windows 7 - 2019-03-07


Thanks to Chaoying Liu for CVE confirmation.

Files: Fiddler on VT - Pcap on VT (note: Some proxy were used)

IOC Type Comment Date
letsdoitquick[.]site| domain|IP Redirector (Keitaro TDS) 2019-03-07[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06
blasian.bestseedtodo[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06
flashticket[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06
read.updateversionswf[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-07
9aa8e341cc895350addaf268b21f7a716f6d7993575fdba67a3fe7a9e23b8f90 SHA-256 Gootkit “1999” 2019-03-07
2feba3cc47b7f1d47a9e1277c4f4ad5aa5126e59798ac096459d1eae8f573c35 SHA-256 Gootkit “3012” (2nd Stage) 2019-03-07
ws.blueberryconstruction[.]it|185.158.250[.]163 domain|IP Gootkit C2 2019-03-07
ws.diminishedvaluevirginia[.]com|185.158.251[.]115 domain|IP Gootkit C2 2019-03-07
gttopr[.]space|198.251.83[.]27 domain|IP Gootkit C2 2019-03-07

GreenFlash Sundown:

19.03.26 #Malvertising -> #GreenFlashSundown EK-> #SeonRansomware ver 0.2 & #pony & #miner using CVE-2018-15982 - 2019-04-05 - @vigilantbeluga

Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit - 2019-06-27 - Trendmicro

Read More:

Adobe Flash Zero-Day Exploited In the Wild - 2018-12-05 - Gigamon

Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes

CVE-2018-8174 (VBScript Engine) and Exploit Kits

The CVE-2018-8174 is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, announced by Qihoo360 on April 20, 2018, patched by Microsoft on May 8, 2018 and explained in details by Kaspersky the day after.

A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.

This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.


Spotted on the 2018-05-25

“TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased:

Добавлен CVE-2018-8174
Add CVE-2018-8174
Пробив/rate + boom.gif

And indeed today:


Figure 1: RIG launching code exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-05-25

IOC Type Comment Date IP Redirector 2018-05-23 IP RIG 2018-05-24 IP RIG 2018-05-24 IP RIG 2018-05-24 IP RIG 2018-05-24
vnz[.]bit|104.239.213[.]7 domain|IP Smoke Bot C2 2018-05-25
vnz2107[.]ru|104.239.213[.]7 domain|IP Smoke Bot C2 2018-05-25
92e7cfc803ff73ed14c6bf7384834a09 md5 Smoke Bot 2018-05-25
58648ed843655d63570f8809ec2d6b26 md5 Extracted VBS 2018-05-25

Files: PCAP on VT



Spotted on the 2018-06-02

After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174: Magnitude_CVE-2018-8174

Figure 2: Magnitude successfully exploiting CVE-2018-8174 against IE11 on Windows 7 to deploy Magniber Ransomware - 2018-06-02

Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment

IOC Type Comment Date
taxhuge[.]com| Domain|IP Magnigate step 1 2018-06-02
69j366ma35.fedpart[.]website| Domain|IP Magnigate step 2 2018-06-02
a23e5cwd602oe46d.addrole[.]space| Domain|IP Magnitude 2018-06-02
f48a248ddec2b7987778203f2f6a11b1 md5 Extracted VBS 2018-06-02
30bddd0ef9f9f178aa39599f0e49d733 md5 Magniber 2018-06-02
[ID].bitslot[.]website| Domain|IP Magniber Payment Server 2018-06-02
[ID].carefly[.]space| Domain|IP Magniber Payment Server 2018-06-02
[ID].trapgo[.]host| Domain|IP Magniber Payment Server 2018-06-02
[ID].farmand[.]site| Domain|IP Magniber Payment Server 2018-06-02

Files: Fiddler on VT (note: some proxy were used)


Spotted by Joseph Chen on 2018-06-14


Figure 3: GrandSoft exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-06-14

Files: Fiddler on VT - Pcap on VT

IOC Type Comment Date
easternflow[.]ml| Domain|IP BlackTDS 2018-06-14
uafcriminality[.]lesbianssahgbrewingqzw[.]xyz| Domain|IP GrandSoft EK 2018-06-14
cec253acd39fe5d920c7da485e367104 md5 Undefined Loader 2018-06-14
a15d9257a0c1421353edd31798f03cd6 md5 GandCrab 2018-06-14 IP AscentorLoader C2 2018-06-14
carder[.]bit Domain GandCrab C2 2018-06-14
ransomware[.]bit Domain GandCrab C2 2018-06-14


  • Thanks to Joseph Chen who spotted the new exploit and allowed the capture of this traffic.


  • 2018-06-19 - Added the name for the Loader


Spotted on 2018-06-30, most probably there since 2018-06-16


Figure 4: Fallout exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-30

Files: Fiddler on VT - Pcap on VT


Kaixin EK:

Spotted by JayK on 2018-07-12


Figure 5: Kaixin exploiting CVE-2018-8174 against IE11 on Windows 7 - 2018-08-11

Files: Fiddler on VT - Pcap on VT

Hunter EK:


Figure 6: Hunter including CVE-2018-8174 in its carpet bombing against IE11 on Windows 7 - 2018-08-30

Files: Fiddler on VT


  • Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture.

Greenflash Sundown:

Spotted by Chaoying Liu on 2018-09-05


Read More:
The King is dead. Long live the King! - 2018-05-09 - SecureList
Analysis of CVE-2018-8174 VBScript 0day - 2018-05-09 - Qihoo360

Post publication reading:
Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner - 2018-05-31 - Trend Micro
Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation - 2018-07-03 - SecureList
Hello “Fallout Exploit Kit” - 2018-09-01 - Nao_Sec

CVE-2018-4878 (Flash Player up to and Exploit Kits

By: Kafeine
9 March 2018 at 19:19

The CVE-2018-4878 is a bug that allows remote code execution in Flash Player up to, spotted in the wild as a 0day, announced by the South-Korean CERT on the 31st of January. Patched on February 6, 2018 with ASPB18-03. Seen in malspam campaign two weeks after, it’s now beeing integrated in Exploit Kits.

This is, as far as i know, the first new working RCE integrated in non targeted Exploit Kit1 since CVE-2016-0189 in july 2016 (!).


GreenFlash Sundown:

Spotted on the 2018-03-09 (but probably there since several days)

CVE-2018-4878-Successful pass on GreenFlash Sundown

Figure 1: Greenflash Sundown successfully deploying Hermes 2.1 Ransomware after exploiting Flash in IE11 on Windows 7 - 2018-03-09

GreenFlash is a private heavily modified version of Sundown EK spotted in october 2016 by Trendmicro. It’s beeing exclusively used by the “WordsJS” (aka “ShadowGate”) group. This group is getting traffic from crompromised OpenRevive/OpenX advertising server since at least may 2015.


Figure 2: Some tagged activity from WordsJS displayed in MISP.

Some references about the activities of this group:

Blog/Tweet Date Author
OpenX Hacks example (malvertising) 2015-05-19 @malekal_morte
[Tweet] Malvertising via psychecentral[.]com 2015-10-12 @BelchSpeak […] Angler EK: Installs bedep, vawtrak and POS malware 2015-11-02 Cyphort
Music-themed Malvertising Lead To Angler 2016-01-19 Zscaler
[FR] Exemple d’une Malvertising sur OpenX 2016-04-13 @malekal_morte
Top Chilean News Website Emol Pushes Angler Exploit Kit 2016-05-11 Malwarebytes
Is it the End of Angler ? 2016-06-11 MDNC Shadowed Domains Lead to Neutrino EK 2016-08-12 RiskIQ
Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted2 2016-09-01 Talos
Sundown EK from sends Locky Ransomware 2016-10-17 @malware_traffic
New Bizarro Sundown Exploit Kit Spreads Locky 2016-11-04 Trendmicro

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)

IOC Type Comment Date
bannerssale[.]com|159.65.131[.]94 domain|IP Sundown GF Step 1 2018-01-09
aquaadvertisement[.]com|159.65.131[.]95 domain|IP Sundown GF Step 2 2018-03-09
listening.secondadvertisements[.]com|207.148.104[.]5 domain|IP Sundown GF Step 3 2018-03-09
65bd3d860aaf8874ab76a1ecc852a570 md5 Ransomware Hermes 2.1 2018-03-09
f84435880c4477d3a552fb5e95f141e1 md5 Ransomware Hermes 2.1 2018-03-10

If you saw this kind of traffic in your perimeter/telemetry, i’d be happy to get more referer


  • 2018-03-10 - 15:40 GMT - Removed mention of steganography. @smogoreli: “simple offset in the dat file”


  • Thanks to Genwei Jiang (FireEye) for the CVE identification.
  • Thanks to Joseph Chen for inputs allowing the capture of a fresh pass of GreenFlash Sundown.
  • Thanks to @GelosSnake & @baberpervez2 for the ping on suspicious activity that could be associated to “WordsJS” (aka “ShadowGate”) and triggered those checks.


Spotted on the 2018-04-01


Figure 3: Magnitude successfully deploying Magniber Ransomware after exploiting CVE-2018-4878 on Flash in IE11 on Windows 7 - 2018-04-01

Magnitude is using the WSH injection described by Matt Nelson in August 2017.


Figure 4: UAC prompt on the wsh injection executed upon successful exploitation

Payload is the Magniber Ransomware, first spotted in the wild in october 2017, in a context documented by Trendmicro.


Figure 5: Some tagged activity from Magnigate displayed in MISP.

Select OSINT about this infection chain:

Blog/Tweet Date Author
Magnitude Actor Adds a Social Engineering Scheme for Windows 10 2017-08-03 Proofpoint
[Tweet] Ransomware spread by Magnitude. Hosted behind same infra. KOR focused for now 2017-10-16 Kafeine
Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware 2017-10-18 Trendmicro

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)
IOCs: MISP Json (note: all those are changing almost hourly)

IOC Type Comment Date
finansee[.]credit|209.95.60[.]115 domain|IP Magnigate Step 1 2018-04-01
adex7s92616.fryrids[.]com|144.217.197[.]9 domain|IP Magnigate Step 2 2018-04-01
353kb544cv.anlogs[.]space|66.70.223[.]111 domain|IP Magnitude Exploit Kit 2018-04-01
*.fitpint[.]website|139.60.161[.]43 domain|IP Magniber Payment server 2018-04-01
*.riskjoy[.]pw|162.213.25[.]235 domain|IP Magniber Payment server 2018-04-01
*.ratesor[.]site|198.56.183[.]147 domain|IP Magniber Payment server 2018-04-01
*.accorda[.]space|107.167.77[.]100 domain|IP Magniber Payment server 2018-04-01
*.uxijz4kdhr4jp3wf[.]onion domain Magniber Payment server on tor 2018-04-01
1d4b9c4b4058bfc2238e92c0eebb5906 md5 Magniber Ransomware 2018-04-01


Spotted on the 2018-04-09

Replying to a customer complaining yesterday (2018-04-08) about the lack of CVE-2018-4878, “TakeThat” wrote early this morning (2018-04-09):

Чистки выполняются вовремя
Конечно мы добавили флеш CVE-2018-4878 он доступен на подписке от недели

Translated by google as:

Cleaning is done on time
Of course, we added the flash CVE-2018-4878 it is available on subscription from the week

And indeed today as spotted by @nao_sec:


Figure 6: RIG successfully exploiting CVE-2018-4878 on Flash in IE11 on Windows 7 - 2018-04-09

IOC Type Comment Date
cash111[.]club|18.220.221[.]2 domain|IP Keitaro TDS 2018-04-09 IP RIG 2018-04-09
omega.level7[.]gdn|89.45.67[.]198 domain|IP Urausy C2 2018-04-09
1bd20aa0433f3f03001b7f3e6f1fb110 md5 RIG Flash Exploit 2018-04-09
712385a6073303a20163e4c9fb079117 md5 Urausy - probably as a loader 2018-04-09


Spotted on 2018-06-28, most probably there since 2018-06-16

Despite seeing code pointing to it, we did not saw it properly called in traffic.

Fallout_CVE-2018-4878 Call

Figure 6: Fallout call for CVE-2018-4878 in it's landing 2018-08-30

Blog/Tweet Date Author
Hello “Fallout Exploit Kit” 2018-09-01 Nao_Sec
IOC Type Comment Date
md5 747c32e55b4e847c3274503290507aa1 Fallout Flash Exploit 2018-08-31


  • 2018-04-10 - 10:05 GMT - Modified to reflect payload id: Urausy. Not seen since 2015-06-09


  • Thanks to Kimberly for the payload identification.
  1. For instance CVE-2016-7855 has been integrated as a 0day in Sednit EK in october 2016. 

  2. It was not exactly a malvertising but some ad server compromission and nothing, but a bunch of shadowed domains, was really taken down 

CoalaBot: http Ddos Bot

By: Kafeine
16 October 2017 at 09:01

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot

A look inside :
CoalaBot: Login Screen
(August Stealer alike) 

CoalaBot: Statistics

CoalaBot: Bots

CoalaBot: Tasks
CoalaBot: Tasks

CoalaBot: New Taks (list)

CoalaBot: https get task details

CoalaBot: http post task details

CoalaBot: Settings
Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
Coala Http Ddos Bot

The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.

Attack types:

* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.

• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)
• ~100kb after obfuscation
• Auto Backup (optional)
• Low CPU load for efficient use
• Encryption of incoming/outgoing traffic
• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)
• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.
• Ability to link a build to more than one gate.

• Detailed statistics on time online/architecture/etc.
• List of bots, detailed information
• Number count of requests per second (total/for each bot)
• Creation of groups for attacks
• Auto sorting of bots by groups
• Creation of tasks, the ability to choose by group/country
• Setting an optional time for bots success rate


• Providing macros for randomization of sent data
• Support of .onion gate
• Ability to install an additional layer (BOT => LAYER => MAIN GATE)


• PHP 5.6 or higher
• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions


• Created tasks -


• $300 - build and panel. Up to 3 gates for one build.
• $20 - rebuild
The price can vary depending on updates.
Escrow service is welcome.

Help with installation is no charge.


VT link
MD5 f3862c311c67cb027a06d4272b680a3b
SHA1 0ff1584eec4fc5c72439d94e8cee922703c44049
SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Bye Empire, Hello Nebula Exploit Kit.

By: Kafeine
2 March 2017 at 21:17
Nebula Logo

While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

Selling EK Nebula
Nebula Exploit kit

-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

24h - 100$
7d - 600$
31d - 2000$

Jabber - [email protected]

Offering free tests to trusted users 

In same thread some screenshots were shared by a customer.

Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 

This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.

At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload

Today URI pattern changed from this morning :


(which is Sundown/Beps without the index.php) to


(for those who would like to build their regexp, more pattern available here : )

2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

CVE-2014-6332 + CVE-2015-0016
CVE-2016-0189 godmode

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.

2017-03-03 Corrected some CVE id + not all payload are in clear
Some IOCs

Date Sha256 Comment
2017/02/17 f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5 Flash Exploit (CVE-2016-4117)
2017/02/27 be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2ecc Flash Exploit (CVE-2016-4117)
2017/02/17 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)
2017/02/17 04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c Flash Exploit (CVE-2015-8651 Sample seen previously in Sundown)
2017/02/17 b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315c Pitou
2017/02/17 6fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8 Gootkit
2017/02/22 1a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64b Ramnit
2017/03/02 6764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4a DiamondFox

Date Domain IP Comment
2017/02/17 Nebula Payload Domain
2017/02/22 Nebula Payload Domain
2017/02/24 Nebula Payload Domain
2017/02/28 Nebula Payload Domain
2017/03/02 Nebula Payload Domain
2017/02/17 Nebula
2017/02/17 Nebula
2017/02/17 Nebula
2017/02/17 Nebula
2017/02/22 Nebula
2017/02/22 Nebula
2017/02/22 Nebula
2017/02/23 Nebula
2017/02/23 Nebula
2017/02/23 Nebula
2017/02/23 Nebula
2017/02/23 Nebula
2017/02/23 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/24 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/25 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/26 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/27 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/02/28 Nebula
2017/03/01 Nebula
2017/03/01 Nebula
2017/03/01 Nebula
2017/03/01 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula
2017/03/02 Nebula

CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits

By: Kafeine
6 January 2017 at 13:15

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.

Note : No successful exploitation seen despite integration tries.

On 2017-01-04 @theori_io released a POC
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —
— Theori (@theori_io) 4 janvier 2017

providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.

After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.

The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.

[edit : 2017-01-10]
​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.


Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06
No exploitation here though
Fiddler: (password is malware)

Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)

Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.
So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.
Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.

NeutrAds redirect is now  accepting Edge traffic - 2017-01-14

Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14
(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )

Extracted CVE-2016-7200/7201  elements - 2017-01-14

Note: i did not get infection with
- Edge 25.10586.0.0 / EdgeHTML 13.10586
- Edge 20.10240.16384.0

Fiddler&Pcap :  (Password is malware)
Extracted exploits: (Password is malware)

reveiled[.space| - NeutrAds Filtering Redirector
vfwdgpx.amentionq[.win| - Neutrino

Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610
Associated C2 :
buyyou[.org |

So those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get Gootkit
MISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)
2017-01-15 Finding by Simon Choi

CVE-2016-7200/7201 code fired by Kaixin - 2017-01-16
Fiddler : (Password is malware)

Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332


2016-11-10 - Adding information about mitigation on Edge
2016-11-14 - Adding Neutrino
2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not
2016-11-16 - Adding Kaixin

Read More:
Three roads lead to Rome - Qihoo360 - 2016-11-29
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

RIG evolves, Neutrino waves goodbye, Empire Pack appears

By: Kafeine
2 October 2016 at 03:57

  Neutrino waves Goodbye

Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.

Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016

RIG += internal TDS :

Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]
I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)

Picture2: Blackhole - 2012 - Internal TDS illustration

but disappeared from the market with the end of Nuclear Pack

Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration

and Angler EK

Picture 4 : Angler EK - Internal TDS illustration

This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.

Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).

Picture 5: A Sutra TDS in action in 2012 - cf The path to infection

RIG += RC4 encryption, dll drop and CVE-2016-0189:

Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.
A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189

Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo

Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.

Neutrino waves goodbye ?

On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :
“we are closed. no new rents, no extends more”
This explains a lot. Here are some of my last Neutrino pass for past month.
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp

As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia

Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.

Picture 10: Last banner for Neutrino as of 2016-09-16

Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.
Side reminder : Neutrino disappeared from march 2014 till november 2014

A Neutrino Variant

Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.

Picture 11: Neutrino-v pass on the 2016-09-21

Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits

Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo

A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523

Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api

 function k2(k) {
var y = a(e + "." + e + "Request.5.1");
y.setProxy(n);"GET", k(1), n);
y.Option(n) = k(2);
if (200 == y.status) return Rf(y.responseText, k(n))
Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)

I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)

Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x
The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.

Empire Pack:

Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.

Picture 15: King of Loads - Empire Pack Panel

Some might feel this interface quite familiar…A look a the favicon will give you a hint

Picture 16: RIG EK favicon on Empire Pack panel

Picture 17: RIG Panel

It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIG
  • api.php : historical RIG
  • api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
  • remote_api.php : RIG-v
But Empire Pack might be api3, remote_api, or a bit of both of them.

By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)


Let’s just conclude this post with statistics pages of two Neutrino threads

Picture 18: Neutrino stats - Aus focused thread - 2016-07-15

Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09

We will be known forever by the tracks we leave
Santee Sioux Tribe

Some IOCs

Date Domain IP Comment
2016-10-01 szsiul.bluekill[.]top Neutrino-v
2016-10-01 twqivrisa.pinkargue[.]top Neutrino-v
2016-10-01 u0e1.wzpub4q7q[.]top RIG-E (Empire Pack)
2016-10-01 adspixel[.]site NeutrAds Redirector
2016-09-30 re.flighteducationfinancecompany[.]com RIG-v
2016-09-28 add.alislameyah[.]org RIG-v
2016-09-28 lovesdeals[.]ml RIG-v
2016-09-27 dns.helicopterdog[.]com RIG
2016-09-26 sv.flickscoop[.]net RIG
2016-09-26 red.truewestcarpetcare[.]com RIG-v
2016-09-26 oitutn.yellowcarry[.]top Neutrino


Thanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.


2016-10-03 :
Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.
Added explanation about the IP whitelisting on RIG API (it was not clear)
2016-10-08 :
Updated with gained information on Empire Pack
2016-11-01 :
RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.

RIG panel
The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)
2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)

RIG-E Behavioral
RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.

2016-12-03 RIG-v Pre-landing

Read More

RIG’s Facelift - 2016-09-30 - SpiderLabs
Is it the End of Angler ? - 2016-06-11
Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01
Hello Neutrino ! - 2013-06-07
The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05

Fox stealer: another Pony Fork

By: Kafeine
26 September 2016 at 11:12

Gift for SweetTail-Fox-mlp
 by Mad-N-Monstrous

Small data drop about another Pony fork : Fox stealer.
First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.

Advert :
2016-08-11 - Sold underground by a user going with nickname "Cronbot"

Стилер паролей и нетолько - Fox v1.0

Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.

О продукте : 
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.

Условия : 
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.

Аренда 250$ в месяц.
Исходники 2000$ разово.

----Translated by Jack Urban : ----

Password stealer and more - Fox v.1.0
We are releasing the product for general sale. Final stage of testing for this product is already underway.
About the product:
1. Is able to do everything that pony does. + new software has been added.
2. Relevant for 2016.
3. Written in C++ without additional libraries.
4. Admin from pony.
1. For rent only.
2. Distributed as an EXE and DLL.
3. We will not be selling the source.
Rent is $250 a month.
Originals are a 2000$ one time fee. 


It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .

MISP taxonomy tags reflecting ScriptJS activity in the last months
(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )

2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13
Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2

Fox stealer (PonyForx) fingerprint in Cuckoo

Sample :
Associated C2:
Caught by ET rule :
2821590 || ETPRO TROJAN Win32.Pony Variant Checkin

[1] ScriptJS's Pony :
master.districtpomade[.]com| - 2015-08-15 Pony C2 from ScriptJS
​js.travelany[.]com[.]ve| - 2015-12-10 Pony C2 from ScriptJS

Read More : few bits about ScriptJS