Neosploint exploit kit
This is just a listing of popular Fiesta EK tags that have been seen recently.
/0m68r7a/
/180yxim/
/3yifquk/
/4esi8v6/
/4rp3yc1/
/523r0gm/
/68vk0et/
/6pk1f2o/
/6rvz74c/
/6xtmw2a/
/avm3tcn/
/h2p8zt5/
/hb9cx5u/
/hczajmb/
/l9iok5h/
/lyagf8w/
/nf8c4hv/
/ni9xkjf/
/o8x792z/
/uhtbk6g/
/w4bm607/
/zds0u5x/
*First thought neosploit…turns out fiesta.*
This compromise only redirects visitors coming from a search engine.
http://sitecheck.sucuri.net/results/tiltedkilt.com
http://www.tiltedkilt.com/menu/ (come from search engine like google/bing)
http://flownacme.info/showads.php?2&seoref=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3Dtilted%2520kilt%2520menu%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CC8QFjAA%26url%3Dhttp%253A%252F%252Fwww.tiltedkilt.com%252Fmenu%252F%26ei%3DA3ARUdGgIem1ygGewoHoBw%26usg%3DAFQjCNE5woagSo26HJaev5A8eSwYUJWQ7w%26bvm%3Dbv.41934586%2Cd.aWM&HTTP_REFERER=http%3A%2F%2Fwww.tiltedkilt.com%2Fmenu%2F > Redirect
http://bitsawalli.www1.biz/w4bm607/counter.php?id=2
http://bitsawalli.www1.biz/w4bm607/?2
http://bitsawalli.www1.biz/w4bm607/?0ae2960a13391f965c0807090b0d015809525e065b060b55095700020d5252 > PDF
http://bitsawalli.www1.biz/w4bm607/?02c3ea533044d71d52511508575a040a0901580707510e0709040603510557 > JAR (application/x-java-archive)
http://bitsawalli.www1.biz/w4bm607/?40f2f7e2da7d541555420709540c540b0d035d0604075e060d060302525307 > JAR (application/x-java-archive)
http://bitsawalli.www1.biz/w4bm607/?05a155a358a6daa4554d040a070e500a09065a0557055a0709030401015107;1;3 > EXE from PDF (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?4a53229d5fcb1ebd511950080009085d0d520e07500202500d57500306565b;1;1 > EXE from JAR (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?4a53229d5fcb1ebd511950080009085d0d520e07500202500d57500306565b;1;1;1 > empty > DL confirm
http://bitsawalli.www1.biz/w4bm607/?5ff3f9fb5fcb1ebd501e03085402575b0c555d0704095d560c500303525d04;1;2 > EXE from JAR (application/octet-stream)
http://bitsawalli.www1.biz/w4bm607/?5ff3f9fb5fcb1ebd501e03085402575b0c555d0704095d560c500303525d04;1;2;1 > empty > DL confirm
http://bitsawalli.www1.biz/w4bm607/?05a155a358a6daa4554d040a070e500a09065a0557055a0709030401015107;1;3;1 > empty > DL confirm
Nothing new here, low AV detection, payload looks like locker.
Updated NeoSploit Post with more indicators.
Redirs:
*/counter.php?id=1
*/counter.php?id=2
*/counter.php?id=3
*/counter.php?id=4
*/counter.php?fid=2
Can try regexing URI for “\/[a-z0-9A-Z]{7}\/\?[0-9]”, but may be costly depending on log size.
Often may be useful to search for the identifier as they appear to be used over and over.
identifier = \/[a-zA-Z0-9]{7}\/
See Neosploit Examples on urlquery.net
HTTP Request Method = GET
Content-type = “application/pdf”
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}$
JAR
HTTP Request Method = GET
Content-type = “application/x-java-archive”
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}$
EXEs
HTTP Request Method = GET
Content-type = “application/octet-stream”
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}(;[0-9]){2}$
Confirms of Java Exploit/Download
HTTP Request Method = GET
User-agent = */Java1.*
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}(;[0-9]){3}$
Noticed some interesting traffic following the below:
hxxp://sunduk.biz/forum/docs/login.php
hxxp://qobac.cobor.in/g76df4d/rtp.xap?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.swf?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.php?0.4495108588209197
hxxp://qobac.cobor.in/pofrj4l/2 > Fiesta Gate
When observing the landing there is no rtu.php file present > http://pastebin.com/n6dYSHY4
The xap (silverlight) file is downloaded, when you pop it into a tool like ILspy, it’s quite clear what is happening.
The rtu.php file simply redirects to fiesta…
¯\_(ツ)_/¯
These are redirecting to neosploit/fiesta.
1) www.dreamincode.net/forums/topic/100672-how-to-get-all-ip-addresses-of-a-systems-connected-to-a-lan/ > Compromised Site
2) meleyomiho.longmusic.com/s406ezzwryav12/4e7302eaa7dc50f5769349bc18584ceb/ > DYN REDIR
3) meleyomiho.longmusic.com/hfbd8ppo/?4 > NEO GATE
1) www.dreamincode.net/forums/topic/256685-sending-a-message-to-multiple-clients/ > Compromised Site
2) qudixev.longmusic.com/2evr0hzwkxlarrx3/4e73527aa7dc50f53669349bc18c84ceb/ > DYN REDIR
3) qudixev.longmusic.com/hfbd8ppo/?4 > NEO GATE
More Examples:
budplix.changeip.name/omoslvzcvnwjnljqf/4e73014aa7dc50f6369349bc18884ceb/
cejapavqze.longmusic.com/cbz7yezbvuotg/517dd3bd75bb1f24fca169919bcf7ddf/
cothvu.changeip.name/llwstbzxwmika34/4e73014aa7dc96f0769349bc18884ceb/
denepsfol.changeip.name/yqvpnszxwaz0rkuh/fa4d85395479a005de13a117d67b10c1/
fjlide.longmusic.com/ipddy7zthhob3yds/54adcdea94611ad546a79d12229cdba6/
gevqeoq.longmusic.com/kkbjezulwaen/4e73014aa7dc50f0769378bc18884ceb/
gofozcawo.changeip.name/fcvekvzxw0wqhn/54adcdea9731134546a79d12229cdba6/
joduegqeh.changeip.name/bqdjr2zjypg7j/4e73014aa7dc50f0569349bc18884ceb/
You can regex logs for HTTP URI of:
^http:\/\/[a-z]{6,10}\.(hopto\.org|changeip\.name|longmusic\.com|ftpserver\.biz|dns04\.com|myvnc\.com|servehttp\.com|sytes\.net)\/[a-z0-9]{10,17}\/[a-f0-9]{32}\/$