“Cookiebomb” encounter at www.dinaeastwood[.]com

For background information on “cookiebomb” injection I recommend these excellent posts:

http://malwaremustdie.blogspot.com/2013/07/proof-of-concept-of-cookiebomb-attack.html
http://malwaremustdie.blogspot.com/2013/07/what-is-behind-cookiebomb-attack-by.html
http://research.zscaler.com/2013/08/cookiebomb-still-dropping-malicious.html
http://blogs.cisco.com/security/crumbling-to-the-cookiebomb/

And as always, please use care when visiting any of the sites in this post.

               dinaeastwood-com-cookiebomb

 

Behind the scenes the iframe constructed from the obfuscated “cookiebomb” injection code first leads to 97.74.221.92/cart/LNPgnbtH.php.
Followed by redirects to https://www[.]islandgirlactivities.com/cart/LNPgnbtH.php
then finally the landing page at kennethcolenyoutlet[.]com/topic/successful_records.php.

Where the malicious .jar and binaries it downloads are pulled from:
.jar: kennethcolenyoutlet[.]com/topic/successful_records.php?nlXwrAu=KIsBLk&vXWLdiYVqjS=dqjRDGfdYV
info.exe: kennethcolenyoutlet[.]com/topic/successful_records.php?Mf=565453532d&me=572g522i32522i2j542h&O=2d&sw=S&gz=D
contacts.exe: kennethcolenyoutlet[.]com/topic/successful_records.php?ff=565453532d&Ue=2g2h572i555552542d52&y=2d&nG=M&Mg=q

After infection a check in is made via POST to kennethcolenyoutlet[.]com/forum/viewtopic.php (note Content- Type and Encoding):
dinaeastwood-com-cookiebomb-viewtopic

Followed by four attempts to download the same binary from different sources:

  • ftp.pexgol[.]com/bm6dog.exe
  • 031e860.netsolhost[.]com/N6iU.exe
  • www.spessartpix[.]de/tT4W60.exe (resulted in 403 in this case)
  • ftp.asepticenclosures[.]com/uexgRF.exe
  • After the binaries were received a request to microsoft.com was observed to be directed to 78.140.131.151 in The Netherlands. (This appears to be a Medfos connectivity check using the forged User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0):
    www.microsoft[.]com/uploading/id=1351678513&u=4WqdvjA+sJYdbzjFmxr6tGHxf9AqnDBsS3vRyhHbacviRtnYIg2xc6QMAWYaZM4RqxalcusDRHEPWTLre+r0ww==

    And finally another request to www.my-debugbar[.]com with 200 response but no data:
    www.my-debugbar[.]com/report?n=0&r=BgClANoAMS8dAAEFCJgQAAAfAAAAuA0IHgsAAADWlghg4xEWEqy4d4Imb5lvvKchUlVVVVVVVVVVVVVVVVVVVVUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABOAAAADgAAAA0VgAA
    At this point UDP traffic originating from port 6674 was observed communicating with a number of ISP hosts, possibly Zeus P2P.

    nestsh firewall show portopening  shows UDP 6674 and TCP 5830 have been enabled.

    dinaeastwood-com-netsh-firewall

    VirusTotal:
    .jar: https://www.virustotal.com/en/file/bbef81d13c4882ececaec6c3840ac432de4b452d7fd5b821d78fed010b8c0fa1/analysis/
    info.exe: https://www.virustotal.com/en/file/828c560f7f438ebb47f37f0accae7dd92d6acdc994afe326daaf927003c20960/analysis/
    contacts.exe: https://www.virustotal.com/en/file/6c46a05227ea0c372c67b6d7cc84824edafa2f2bcf790fa9bf6acf43bf183064/analysis/
    bm6dog.exe, N6iU.exe and uexgRF.exe: https://www.virustotal.com/en/file/ae378145e31c70f376d97a60274b4b3b5744fdbad008c722c074911e68f1865f/analysis/
    Indicators:

    • POST to URI path “/forum/viewtopic.php” with Content-Type: application/octet-stream and Content-Encoding: binary
    • Requests to www.microsoft.com/uploading/id= with forged user agent, followed by an increase in UDP traffic to ISP destinations.
    • fortunately none of the binaries are encoded so standard executable detections should pick those up.