Magnitude Exploit kit (formerly known as Popads) at haengineering[.]net leads to ZeroAccess with a side of Fake AV

haengineering

If clicking through a link from a search engine, injected script leads the victim to the landing page at jmhneglnxkwj.6galvagu[.]info/?b1683bc84f9d540d55a2501815fd7afe=20
(Copy at [pastebin] for your review )

haengineering-injection

The landing page contains code to deliver various exploits (some were 404’d with this encounter).

  • .eot (CVE-2011-3402): jmhneglnxkwj.6galvagu[.]info/5e2cbeafecc088b47aaf5339d5f5ab87.eot
  • .swf (404 not found): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/19d2e85c7ace592d29ddfe94e09fab18.swf
  • .html (CVE-2013-2551): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/6c41af59a6b08e028a913ef34a93a2ec.html
  • .jnlp (404 not found): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/dd48b16d3bc0a1796d5bf79f69d1f2ed.jnlp
  • .jar: jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/0919e06ba916b6e6b7d3784d6364f69b.jar

Payloads (encoded payloads were via Java)

  • 5.133.179.188/?5ff70b8bf829919c1a30abb4f9798825
  • (encoded): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/0
  • (encoded): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/1
  • (encoded): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/4
  • (404 not found): jmhneglnxkwj.6galvagu[.]info/0c7266d0e3ac00089fec641d1a083c69/5

Interesting to see the the initial payload obtained directly from the IP and all the others from a domain name. Passive DNS show a pattern of suspicious domains at that IP: http://www.bfk.de/bfk_dnslogger.html?query=5.133.179.188#result

GeoIP from j.maxmind.com/app/geoip.js observed shortly after initial payload was delivered, followed by UDP traffic to known ZeroAccess CnC at 85.114.128.127.

haengineering-zeroaccess

Finally a couple checkins with fake User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) :

  • twinkcam[.]net/images/s.php?id=225
  • cinnamyn[.]com/images/s.php?id=225

 

VT:
5e2cbeafecc088b47aaf5339d5f5ab87.eot:
https://www.virustotal.com/en/file/83b09f673fea53468e2c596568b69174aaa1e271796d3a1668187b54dec2c7e7/analysis/1381055190/

6c41af59a6b08e028a913ef34a93a2ec.html:
https://www.virustotal.com/en/file/cc93040ca9850c970c004dd69d6e3f3115afae4b90d949e3c037940be7094a3c/analysis/1381055274/

0919e06ba916b6e6b7d3784d6364f69b.jar:
https://www.virustotal.com/en/file/a0cde28320cd74beb0b66510be23ca0e7a0ae56d99e14d608558a420ca07c187/analysis/1381055354/

5ff70b8bf829919c1a30abb4f9798825:
https://www.virustotal.com/en/file/4e304bd616a557a7e1de7ef319c9e1fdefe2d1f706357ff649ce6a69411ccbec/analysis/1381055417/

0:
https://www.virustotal.com/en/file/4e304bd616a557a7e1de7ef319c9e1fdefe2d1f706357ff649ce6a69411ccbec/analysis/1381055485/

1:
https://www.virustotal.com/en/file/b48ccbd23e96b9f3be41d739f1ec24360321360dc6e48a5f9d593b9e1c26354f/analysis/1381055642/

4:
https://www.virustotal.com/en/file/800692437ccfe828c546edf536eade0f11494764c8dc5ac6da30cfa94051a02a/analysis/1381055905/

*URLQuery report shows haengineering[.]net has also been used for phishing: http://urlquery.net/report.php?id=6270677