Fiesta Kit on stevepavlina[.]com leads to ZeroAccess

stevepavlina-com

The malicious injected code appears to be limited to the site’s forum section, possibly due to the outdated vBulletin software for which there are a number of known vulnerabilities.

stevepavlina-source

The injected Javascript from blogsandnews[.]com/hrmoaejik.js?524835cb926babf8 includes a small 1×1 iframe that contains the landing page located at domainswudypeople[.]info/jgq0p8z/?2

stevepavlina-iframe

From there Adobe Flash, Reader and Java exploits are delivered to the browser:

  • n2id80kx.swf -> domainswudypeople[.]info/jgq0p8z/?316aa983a75a3e6d4046505a5302000205030e5a555b08080603045859005c07;112202;233
  • S9XrxLyc.pdf -> domainswudypeople[.]info/jgq0p8z/?34e262238b846e895f5d070904090a0205065d09025002080606570b0e0b5607
  • PClqGLS5.jar -> domainswudypeople[.]info/jgq0p8z/?0edba8e8fffcf8585117055953035d0906575c59555a55030557565b5901010c

Followed by binary downloads:

  • flashplayer11_7r81628_213_win.exe -> domainswudypeople[.]info/jgq0p8z/?36ce47fa277465c8564e065e060c5e5005045b5e0055565a0604515c0c0e0255;1;3
  • (encoded and unnamed via Java UA) -> domainswudypeople[.]info/jgq0p8z/?1cf6b1b497493798521b030d500a5a0507515e0d5653520f0451540f5a080600;1;2
  • flashplayer11_7r81628_211_win.exe -> domainswudypeople[.]info/jgq0p8z/?4a2a1b39a00bc12a5119575a03590b0802530a5a0500030201530058095b560a;1;1

The malware obtains geolocation using the j.maxmind.com geoip service followed by a series of malformed DNS packets to 194.165.17.4, a known ZeroAccess CnC host (Ref. https://twitter.com/unixfreaxjp/status/361939633510174721).

stevepavlina-dns

Observed ZeroAccess TCP and UDP CnC channels established with 190.204.18.218 in Venezuela.

stevepavlina-cnc

VirusTotal: