This content has moved to http://oalabs.openanalysis.net/2013/10/01/sweet-orange-exploit-kit-2013/
After 48h of monitoring the Sweet Orange EK noted in our previous post some of the indicators have changed. Now that we know what changes and what doesn't we can refactor our previous indicators and make them more robust.
We now know the refresh rate for the domain generation and url parameter changes. The EK changes url parameters every minute while the domain is changed ever 6 minutes.
What Has Changed
The strings used to obfuscate the applet parameters have been changed and the applet has been recompiled to adapt the decryption/de-obfuscation algorithm.| Before | After |
|---|---|
| V-XHNBZ | 1-XHNBZ |
| ZR-IHNV | ZR-IHN1 |
The port that the malware host is using has changed so the URL regex indicators need to change.
| Before | After |
|---|---|
| http://[a-z]+\.sytes\.net:9101/[a-z\/\.]+[^\?]\?spamnav=82 | http://[a-z]+\.sytes\.net:12601/[a-z\/\.]+[^\?]\?deals=82 |
| http://[a-z]+\.sytes\.net:9101/[a-z\/\.0-9\=\?\&]+ | http://[a-z]+\.sytes\.net:12601/[a-z\/\.0-9\=\?\&]+ |
The IP address is now fluctuating within the same (AS12695) the IPs seen include 95.163.121.17, 95.163.121.171, 95.163.121.169.
What Has Stayed The Same
The exploits and the general frame of the exploit landing page have stayed the same.No-ip dynamic DNS is still being used with the domain "sytes.net".
The binary exploit remains the same, it has been repacked but I wrote a terrible python script that is able to identify it based on a unique pattern of strings in the binary.
You can download the bin checker script here.
Once I get some free time I'll post about the second Java exploit and reverse the payload.
No comments:
Post a Comment