g01Pack Exploit Kit
1) hiynet. is-a-geek.net/ads/ > Landing
2) oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file > JAR (application/x-java-archive)
3) hiynet. is-a-geek.net/ads/lp9459f5.php?a=41&bulkily=3d747&i=44903301&bo=40232&priors=n&x=%2F&trismic=V& > XOR’d EXE (application/octet-stream)
Only change here is the jar file. Previous post on g01pack has been updated.
Don’t know if this is an update, or a different campaign, or whatnot…but it’s different than it used to be.
Tricky to acquire. Almost exclusive to malvertising.
DynDns Domains being used:
*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-a-designer.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info
*.dnsdojo.net
*.is-a-geek.com
*.doesntexist.com
*.dynalias.com
*.servegame.org
– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”
Regex for identifying fields:
\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners
|view|ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/
GATES
http://eiscalla.saves-the-whales.com/news/
http://fordnosize.is-an-accountant.com/finance/
http://noinoldun.does-it.net/news/
http://kzzjump.homedns.org/look/
MALJAR
http://talkydao.is-an-accountant.com/finance/s98w4.gif
http://mefb2bri.is-a-hunter.com/finance/syypj.gif
http://uscodedb.is-a-musician.com/finance/ja2pi.gif
http://sizecownwhen.dnsdojo.net/ads/t8wcpk.jpg
http://oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file
http://sun.com-oracle-security-fix-jdk_1.7.u17-win32-install-request-from-bcwhensi.is-a-soxfan .org/ads/ag9ntac6nc35.applet
HTTP Request Method = GET
Content-type = application/java-archive
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.(gif|jpg|file|applet)$
MALJAR Variant
http://sizecownwhen.dnsdojo.net/ads/llctsudjeyhtsf.png
http://mefb2bri.is-a-hunter.com/ads/5p92jsuhencus8.png
http://uscodedb.is-a-musician.com/ads/28kdujeuhsgyeh.png
HTTP Request Method = GET
HTTP Content-type = text/html*
HTTP URI ends with .png
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.png$
MALJAR Variant 2
http://java.com-oracle-update-runtime.7u23-win32.install-prefix.netsizekocode.is-a-geek.net/ads/h7n6i3w.control
HTTP Request Method = GET
HTTP Content-type = application/java-archive
HTTP URI ends with .control
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.control$
EXEs
http://lewhenfold. is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50&
HTTP Request Method = GET
Content-type = application/octet-stream
Regex HTTP URI for “\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view|
ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/[a-z0-9]{5,14}\.php”
See more examples of g01Pack Exploit Kit on UrlQuery.net
— Notes
This activity seems to be focused in the 31.193.195.0/24 subnet.
@c_APT_ure reported that g01pack is also active within the past few days at 216.246.98.88-90, and posted a paste of current domains.
Reference: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/18443
Thanks to @Set_Abominae for helping to keep this updated!
You can see paste of main page here. Malicious code begins at line 166.
Cleaned up JS code is here.
This also highlights some changes in the g01pack exploit chain, will post more about it after researching more.
Exploit Chain:
http://www.speedtest.net
http://lewhenfold.is-a-designer.com/finance/
http://lewhenfold.is-a-designer.com/finance/sw4qr.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/rlwra.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/qyjkj.php
http://lewhenfold.is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50& (Encoded EXE > 0x7e) > application/octet-stream
There is an updated post of this exploit kit.
Tricky to acquire. Almost exclusive to malvertising.
DynDns Domains being used:
*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info
– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”
Regex for identifying fields:
\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view)\/
Examples:
GATES
http://butgocodefour.dyndns.org/mix/
http://fivevsevenkey.dyndns.org/mix/
http://sevennfourpark.dyndns.info/forum/
http://qwtoovecho.dyndns.org/mix/
http://foxreajunk.dyndns.info/forum/
MALJAR
http://uonetwodo.dyndns.info/forum/1m1yfygo20iz9lgfola9w9lmjg.jar
http://dryzeroparktoo.dyndns.org/mix/1wl101m55fzf9zg5oii5ozaw11.jar
http://foxreajunk.dyndns.info/forum/1wl101m55fzf9zg5oii5ozaw11m9ogla.jar
http://uonetwodo.dyndns.info/forum/2jmmmmyfgm9i01jyfiyig1fawal9ayfl.jar
EXEs
http://goninefoxseven.dyndns.info/forum/ma0alimf5a0awzjljiiwj2gi9y.php?fid=java_ara"e=%2F&size=32864079&
http://foxreajunk.dyndns.info/forum/5wawwmaf0g0fo1ljyioo1jiy1zyowwgy.php?quote=%2F&size=33210331&fid=java_ara&
http://uonetwodo.dyndns.info/forum/ma0alimf5a0awzjljiiwj2gi9y.php?size=32893475&fid=java_ara"e=%2F&