Fiesta Kit at realmomkitchen[.]com leads to ZeroAccess with a side of Fake AV

realmomkitchen

Like stevepavlina[.]com in my previous post, realmomkitchen[.]com is also hosting the Fiesta exploit kit and is intent with infecting visitors with ZeroAccess but in this case Fake AV is also delivered to the victim .

Injected Javascript leads to the landing page at wucgwyf.myftp[.]biz/jh6pbgzxwf7nbq/a2061c3bc5854c46f54609df0b141304/

realmomkitchen-javascript

Adobe Flash, Reader and Java exploits:

  • tdIj4muT.swf: wucgwyf.myftp[.]biz/781h9jb/?1c9233540613e4a442145f090708040104530a090751050f04510b5107560007;112202;233
  • seB_7Xk9.pdf: wucgwyf.myftp[.]biz/781h9jb/?5dc4f3d32acdb440590d010f520855060054500f525154080056515752565100
  • WsCh165x.jar: wucgwyf.myftp[.]biz/781h9jb/?2aa912285eb52291531300020509030d07515202055002030753535a0557070b

Binary downloads:

  • flashplayer11_7r15503_413_win.exe: wucgwyf.myftp[.]biz/781h9jb/?2af43fdb863dbf015719030f075d55570751550f070454590753545707035151;1;3
  • flashplayer11_7r15503_423_win.exe: wucgwyf.myftp[.]biz/781h9jb/?236a4633863dbf01574b535a000d02060703055a005403080701040200530600;2;3
  • (encoded and unnamed via java): wucgwyf.myftp[.]biz/781h9jb/?3b24c0123600ed51501a570f570b00070652010f575201090650005757550401;1;2

Load confirmation: wucgwyf.myftp[.]biz/781h9jb/?236a4633863dbf01574b535a000d02060703055a005403080701040200530600;2;3;1

As previously observed, the malware obtains geolocation using the j.maxmind.com geoip service followed by a series of malformed DNS packets to 194.165.17.4, a known ZeroAccess CnC host (Ref. https://twitter.com/unixfreaxjp/status/361939633510174721).

realmomkitchen-malformed-dns

In this case, instead of the CnC traffic we see just a single request to twinkcam[.]net/images/s.php?id=48 with Fake User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

At this point, all running applications are closed and fake AV Internet Security 2013, “designed to protect,” began a scan of the machine, finding “21 useless and unwanted files.”

realmomkitchen-fake-av2

VirusTotal:

Indicators:

  • Requests to j.maxmind.com/app/geoip.js with NO user agent or accept headers
  • Fake User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  • malformed DNS requests
  • Requests to twinkcam[.]net/images/s.php