Terror EK delivers K.I.N.S.

Summary:

Often i revisit old websites that I’ve looked at before to look for any changes. This particular domain I investigated around the 8th March whereby it dropped August stealer via Rig EK. The site was also reported by @St3f4nMZ as it appeared to host different Sundown EK strings. This actually turned out to be Nebula EK. So far this domain appears to have hosted at least 3 different EK’s and dropping interesting malware.

This Terror version used 2 Flash exploits and requested the Silverlight exploit from the same host as my last Terror EK blog. Other than that, nothing else struck out as unusual.

The payload was identified with the help of @Antelox  as K.I.N.S. (Kasper Internet Non-Security). This is a ZeuS variant which uses steganography to fetch a configuration. It has the usual web injects and data exfiltration via POST request. It was very interesting to observe.

Background Information:

  • An article on Terror exploit kit:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-Error-Exploit-Kit/

  • Some Exploits used by this version of Terror EK:

http://malware.dontneedcoffee.com/2013/11/cve-2013-0074-silverlight-integrates.html

http://malware.dontneedcoffee.com/2014/11/cve-2014-6332.html

http://malware.dontneedcoffee.com/2013/11/cve-2013-2551-and-exploit-kits.html

  • Great article on K.I.N.S

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf

Downloads (in password protected zip)

Notable Details:

  • 188.215.92.104 – hurtmehard.net:443 – Compromised Site using HTTPS
  • 162.243.119.23Terror EK Traffic
  • 159.203.185.4 – Silverlight exploit from another Terror EK host
  • 185.100.87.161 – badlywantyou.top – K.I.N.S. config via stegonography and exfiltration.
  • 86.106.131.137 – badboys.net.in – Extra run K.I.N.S CNC
  • Payload was rad0FEB3.tmp.exe-> VirusTotal (89572e8e0a2e96c655356939777da05ee47f5ffe7e9305b7c251446d61a558c6)

Details of infection chain:

(click to enlarge!)

TerrorEKZeuSVMKINS.png

Terror EK delivers K.I.N.S

  • I did an extra run where you can see two payloads were dropped that were actually the same file. This was Smoke Loader which downloaded K.I.N.S. I have not included a PCAP/Files for this though if you want to see it contact me on Twitter or the about page.

TerrorEKKins

Full Details:

  • The payload was sat in processes for around 10+ minutes before any CnC occurred.
SHA256: 89572e8e0a2e96c655356939777da05ee47f5ffe7e9305b7c251446d61a558c6
File name: rad0FEB3.tmp.exe
Detection ratio: 17 / 61
ESET-NOD32 Win32/Spy.Zbot.ABV
  • Along with a file called “Bookworm”, a DLL was created.
SHA256: 538ac74c3459fe052b18f4ff6fd28fde5d852d252e9135464c6a6e68e8fcd905
File name: ponticello.dll
Detection ratio: 8 / 61
ESET-NOD32 a variant of Win32/Injector.DNII
  • After a while another binary was created. After a short time the malware cleaned up by deleting itself and then injected itself into another process. This is when CnC began.
SHA256: 5d680f3948ed54612bc0cc812b2d287e85e2bb432267b295d37132e8077d85a2
File name: uceno.exe
Detection ratio: 14 / 61
ESET-NOD32 NSIS/Injector.VP
  • K.I.N.S. performs GET requests for a jpg file (badlywantyou[.]top/smk/config.jpg). The picture appears harmless but the malware is using stegonography to fetch the config.
  • Data exfiltration occurs using POST requests to the same domain.
  • Much similar to my previous blog on Terror EK there was no obfuscation of the landing page. This version used 2 Flash exploits and 1 Silverlight. It requested the same Silverlight exploit from Terror EK host from my previous blog:

Terror EK delivers BitCoin Miner

  • The initial landing page appears to be a pre-landing. It makes checks for plugins then performs a POST request to the actual landing page.

TerrorPost

  • The actual landing page calls several iframes which contain calls for the Flash and SilverLight exploits.

Iframes

One thought on “Terror EK delivers K.I.N.S.

  1. Pingback: Finding a Good Man: Part 2 – MALWARE BREAKDOWN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s