Exploit Kit plays with intelligent redirection (amended)
Looking inside this script, we find some unequivocally engaging results. Inside a book a large cube of formula is obfuscated with a permutative encoding algorithm.
After deobfuscation a antagonistic iFrame formula looks like this:
A formula retard inside a iFrame redirects us to a
latest version of a Blackhole Nuclear Pack feat kit.
At a subsequent theatre of a exploitation process, a antagonistic java applet during hxxp://094t8g.qktsnwukvi.webhop.net//images/274e0118278c38ab7f4ef5f98b71d9dc.jar (Java/Exploit.CVE-2012-0507.J) uses these parameters for decoding an URL with executable record payload. Without this parameter, a URL can’t be decoded and a assailant can’t follow any step of theattack.
The structure of objects in a Java/Exploit.CVE-2012-0507.J representation looks like this:
The special parameter indispensable for decoding a URL (hxxp://094t8g.qktsnwukvi.webhop.net/server_privileges.php?7e9f0e75503391ed492e5abe22e1989e=2) portion a cargo (in this box it was Win32/TrojanDownloader.Carberp.AH) is found in a routine MyStart(String paramString) for a decoding algorithm.
Attackers hunt for ways to extend a lifetime of any obfuscation iteration or any infection of a legitimate website. It’s a healthy expansion for drive-by download attacks to embody antagonistic formula contracting active techniques for detectign genuine user activity and bypassing malware collecting systems.
All antagonistic domains during a time of announcement are hosted in a network belonging to Leksim Ltd/RELNET-NET AS5577.
It’s not a initial time this hosting provider has been concerned in such activities and in Apr final year we were already saying incidents originating from this network.
Here’s a list of a some-more active domains over 24 hours:
(1) Aleks reports:
On April 3rd IP’s with Blackhole migrated on a latest chronicle of Nuclear Pack.
GET hxxp://dx6ts.yfwumdwyei.is-a-hunter.com/g/3854063525500425.js 18.104.22.168
GET hxxp://yfwumdwyei.is-a-hunter.com/main.php?page=4f086f0830a83d5f 22.214.171.124 [Blackhole]
GET hxxp://094t8g.qktsnwukvi.webhop.net/g/017432546059324.js 126.96.36.199
GET hxxp://qktsnwukvi.webhop.net/main.php?page=4f086f0830a83d5f 188.8.131.52 [Blackhole]
GET hxxp://pqiyoc.qktsnwukvi.webhop.net/g/697079368134578.js 184.108.40.206
GET hxxp://094t8g.qktsnwukvi.webhop.net/server_privileges.php?e843aac68e6c4d6126926e60a1781536=2 220.127.116.11 [Nuclear Pack]
(2) Steve Burn points out that AS5577 is actually Root eSolutions/Root SA: Leksim is one of their customers. A post at http://hphosts.blogspot.co.uk/2009/11/crimeware-friendly-isps-root-esolutions.html refers.
[Further update: there's a useful news of a vital Nuclear Pack-related occurrence from Fox-IT during http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/. However, in a box that Aleksandr has been looking at, there's an updated chronicle that includes Java/Exploit.CVE-2012-0507.]
[Update: it turns out that it's not Blackhole, though Nuclear Pack Version 2.0. Our apologies for a confusion. I'm anticipating we'll have some-more information for we shortly.]