SofosFO is being sneaky in a cool and interesting way.

Example Chain:

http://incurable.fulfillingrgdohavingdhiv.biz/chanting_shallow.php > Landing/PD
http://incurable.fulfillingrgdohavingdhiv.biz/6oqgDDwQ4GmiEDQmqqir4DZpD/9d20ZKQ7QeQe/loads.php5 > Calls JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/353810494/misspelled.pdf > Mal PDF
http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 > EXE from PDF
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/example.jar > Mal JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 > EXE from JAR

Looks like usual SofosFO activity till we look at the packets…

EXE from JAR

GET /qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_10
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/java-archive
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”triumphs.jar”

This is an encoded exe, with a modified content type and filename. Also notice the user agent.

Signature:

HTTP Method = GET
User-Agent = *Java/1.*
Content-Type = application/java-archive
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

EXE from PDF

GET /ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 HTTP/1.1
User-Agent: http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500
Host: incurable.fulfillingrgdohavingdhiv.biz

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/pdf
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”nozzles.jar”

This is also an encoded executable from the Adobe exploit. Notice the user agent, content type, and inline filename.

Signature:

HTTP Method = GET
User-Agent = http://*
Content-Type = application/pdf
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

Dropping large (800k+) RogueAV files currently.

This is an update to the previous post here. It does now include the CVE-2013-0422 Jre7u10 0day.

JS

HTTP Request Method = GET
Domain = *.org
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$

JAR

HTTP Request Method = GET
Domain = *.org
Content-Type = application/java-archive
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$

PDF

HTTP Request Method = GET
Domain = *.org
Content-Type = application/pdf
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$

EXE (Encoded)

HTTP Request Method = GET
Domain = *.org
Content-Type = application/octet-stream
Regex = ^http:\/\/[a-z-.]{16,}\.org\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$

If not done already, Snort users could probably do something interesting with this. “application/octet-stream” without a proper MZ header.

Examples:

hxxp://legroom.fixedxxnunprofitablerx .org/w230hFGGpYmYWDmhwGKhDxFGWIGY/QmWmlmDEwPmQmlml/packets.js
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/243024699/implemented.jar
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/333205651/produce.pdf
hxxp://legroom.fixedxxnunprofitablerx .org/0hxtxhFGGpYhGWDmhwGKhDxFGYFIY/243024699/92637253

hxxp://privilege-kindly.tpmyanointedpkga .org/ykdhFAIDYKwYDmhmGIhCQFNAmhG/QmWmlmDEwPmQmlml/misrepresentations.js
hxxp://privilege-kindly.tpmyanointedpkga .org/lxqq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/276082143/firefight.jar
hxxp://privilege-kindly.tpmyanointedpkga .org/lxnq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/354999135/centralized.pdf
hxxp://privilege-kindly.tpmyanointedpkga .org/lxnq9mwdhFAIDYDQYDmhmGIhCQFNAmQp/354999135/53627863

hxxp://ycqqabsentee.pointingmlpitifulcco .org/1a3bbgflhFAwIIWpQpwGmAGwhgFgApmy/QmWmlmxwPmEmlml/specifies.js
hxxp://ycqqabsentee.pointingmlpitifulcco .org/z9zu1cyhFAwIIWyQpwGmAGwhgFgApDD/384335740/english.pdf
hxxp://ycqqabsentee.pointingmlpitifulcco .org/5ye727dmhFAwIIWyQpwGmAGwhgFgApDD/344272683/570646680

hxxp://ecological.crossroadsxqc .org/bshFAIGAYYYDmhmGIhGQFpfwAK/QmxmlmQlwlmQmEml/misrepresentations.js
hxxp://ecological.crossroadsxqc .org/53d3gahFAIGAYNYDmhmGIhGQFpfwIg/356959135/centralized.pdf
hxxp://ecological.crossroadsxqc .org/9xhFAIGAYNYDmhmGIhGQFpfwIg/394501877/2983062

Community name, idk official name.

HTTP Request Method = GET
HTTP Domain = *.org

regex URI for “^[a-z-.]{50,}”

Example Chain:

hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/apologistsrichardson.html > GATE
hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/507ecc12c05d802048047bf2/1,6,0,31/9,3,0,0 > Plugin Enum?
hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/507ecc1bc05d802048047d66/30491834/onsero.pdf > PDF
hxxp://birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org/507ecc1bc05d802048047d66/396340842/171347709 > EXE

Example Domains:

ceymmmfhnhxf.takefilms-wyz-pez-dvt.org
fgqrrohdzlo.insertstringnmookrm-lsx.org
kpfgbiycifowo.freevip-bvg-nxnv-iacb.org
ldisvingc.panel-lines-krvo-arumylc.org
leeqispspvv.middle-white-kcetdkbub.org
hails-tokeniazsvwfi.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org
nglvuhfox.orangevideodobfdxf-khds.org
nkuvloxgbpix.cat-email-ceepgm-mfm.org
orebpgfcnebo.juice-elite-yqtplorywub.org
ovlnzqaum.juice-elite-yqtplorywub.org
oxhyyenqbvrap.catonline-witt-imzw-piuz.org
birthplace-admissions.sutter-iyeyeibokfuvhhqqaaeslsralphdput.org