My last source of Terror appeared to dry up and other security researchers such as @jeromesegura have reported changes in Terror EK. I initially looked at the referrers provided in the article and saw the same patterns.
However today I found a fresh Terror EK from malvertising and it appears to be “complete” in the sense that it now includes 4 Flash exploits (one of which had not been uploaded to VT for 5 months) and Silverlight exploit was not hosted on another domain. The only thing Terror EK has not done is a proper obfuscation of its code but I guess these are well known exploits and there is no requirement.
Overall it is clear Terror EK is in development by whomever controls it now. This version appears to look more like a main stream EK. All it needs is some strong obfuscation to slow down researchers especially if a new exploit is discovered.
- An article on Terror exploit kit showing changes in the patterns:
- Some Exploits used by this version of Terror EK:
Downloads (in password protected zip)
- 130417-TerrorSmokePcap– PCAP.
- 140417TerrorSmokePayload– Flash, Silverlight and Smoke Loader
- Payload was zoskoezb.exe-> VirusTotal (4cd37ab66af60b7a709c3b17fb3692ae784b3897e442f7bff4a9374ea5719110)
- I had left Smoke Loader running creating a mess of a PCAP so here is the Hybrid Analysis Report – Here
Terror EK – (18.104.22.168)
Details of infection chain:
(click to enlarge!)
For comparison here was my last Terror EK detection:
- Post infection was Smoke Loader. It downloaded a variety of malwares but I have not included this in the PCAP. The samples however I have uploaded here.
- The landing page contains a single iframe that loads multiple Flash exploits and a Silverlight. This has changed from multiple iframes. After this comes the usual landing page exploits. Nothing appeared to be obfuscated beyond some URL encoding. At the end of the script is a call to the payload.
- The iframe from the landing page redirects to a page that contains 4 Flash exploits and one Silverlight. One of the Flash exploits had not been uploaded to VT in 5 months.
Here are the VirusTotal reports note 9AJ1ib4oMs7f.swf is the “newer” Flash exploit:
|Detection ratio:||23 / 62|
|Detection ratio:||40 / 58|
|Detection ratio:||31 / 56|
|Detection ratio:||17 / 56|
|Detection ratio:||18 / 55|
|Detection ratio:||33 / 56|
One thought on “Terror EK via Malvertising drops Smoke Loader”
Pingback: Finding a Good Man: Part 2 – MALWARE BREAKDOWN