- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater's official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player. I laughed loudly and showed them to my (again, totally non-nerd) friends saying that the site had been owned. One of them went on and opened the site with her own phone (Samsung Galaxy S Advance with Android 4.4.1 and the default Android WebKit browser). To make a long story short, after a few instants her phone was downloading a file without even asking her for confirmation. So: Chrome on my Nexus 4 was using social engineering to have me click on a link and manually download the file; Android's WebKit on her Galaxy S Advance was instead downloading the file straight away: interesting! However, we were a bit late and we had to run for the comedy, so I did not even bother to see what the heck she had downloaded, I only made sure she hadn't opened it. I thought it was just the usual exploit kit trying to infect PCs by serving fake Flash Player updates, seen tons of those. While waiting for the comedy to begin, I quickly submitted the compromised site to three different services, the first three ones that came to my mind: HoneyProxy Client, Wepawet and Unmask Parasites, then turned off my phone and enjoyed the show.
The day after, I decided to spend some minutes analyzing that exploit kit (you know, just in case...). First of all, the compromised site was made with Joomla 1.7, an older release that has a quite long list of security updates in its short history (http://docs.joomla.org/Joomla_1.7_version_history) and is now deprecated in favor of Joomla 2.5. I wish I had access to that web server's logs, those would be quite funny!
Well, after that, I looked at the results of the three scans I had ran the night before. To my surprise, there was almost nothing in them:
And that was all. So, I decided to run the site through Thug with the default personality (winxpie60) and - man! - that was deceiving! Nothing found. Absolutely nothing. Not even a single tiny call to a .ru domain or anything of the like. The only external site was www.facebook.com, which was a legitimate content of the theater's site.
Fortunately, Thug's author Angelo "Buffer" Dell'Aera (our Boss, our Leader, our Shining Star) was wise enough to provide his wonderful tool with an awesome set of different personalities: if the exploit kit did not like Internet Explorer 6, maybe I may fool it with a Galaxy S II with Google Chrome 18 and Android 4.0.3, since it was checking for mobile phones. Guess what, that did the trick! This time, after a few seconds, Thug got redirected to "novostivkontakte.ru", which in turn pointed to "raykola.net", then to "real-chudo.ru" and "klub0-raduga.ru", from which three different APKs were downloaded.
For those interested, this is a small excerpt of Thug's JSON logs:
The three APK files are actually the same app, with three different small changes in their configuration to talk to three different Command&Control servers, but we'll talk about this in a later post. For now, we'll only say they're all three named "video.apk" and that their MD5 sums are 10859e82697955eb2561822e14460463, 91f302fd7c2d1b8fb54248ea128d19e0 and f6ad9ced69913916038f5bb94433848d.
To sum up things, in this post we've seen about a peculiar Exploit Kit that's being actively spread by some mechanized mean and has already compromised several thousands sites. The exploit kit is behaving in a quite peculiar way as it seems to have been designed with special attention to mobile users (that are currently the only ones that get infected by it), and it's distributing some malicious APKs that are (more or less) well recognized by AV vendors on VirusTotal (23/47). Last but not least, Angelo "Buffer" Dell'Aera confirmed that it's the first time he's seen APKs being distributed that way by an exploit kit, and - to his pride - Thug is able to get them all!
Stay tuned for some further analysis of those APKs by my friend and fellow Sysenter Chapter contributor Andrea De Pasquale!
January 12, 2014 Update: Even if my original entry point (the theatre's web site) has now been cleaned, the exploit kit is still online and, since January 8, it's using a different domain to serve the APK files. The whole chain is now:
[infected site] --> novostivkontakte.ru --> raykola.net --> luchikmail.ru
They also changed the EK's code to better filter the User-Agent strings: now you only get redirected to the APKs if you give a true Android User-Agent; if you give an iPad User-Agent you get redirected to the domain "vk.com" where essentially nothing happens (at least for now).
To know more about the served APKs, here's two interesting posts you may want to read: