Dotcachef exploit kit at thmm[.]com delivering ZeroAccess

thmm

For excellent background info on Dotcachef, please see the following posts:

thmm[.]com hosts content for Sonoma Valley news site news.sonomaportal[.]com.
Upon visiting news.sonomaportal[.]com after clicking through a Google search result, Javascript at ecolup[.]biz/aea479a1.js?cp=thmm.com is executed which results in a 302 redirect to the landing page at xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?=MDct5ibpFWbf12c8NjN1ATOxUTM0MzN2UTN89iZ1kDZ2MTZ2ATYvM3cj9yct9yclxWaG5WarN1c19Wa2Vmcw9SZoNWYj9SahFDct0ib45SayFWY4RnY0JWLt0SLuhnLj12ZkFWMs1SLuh3LvoDc0RHa8NnZ

Copy at [pastebin] for your review.

thmm-302

*Although .xn--p1ai appears to be an odd domain it is in fact the Cyrillic country code TLD .рф or .rf for Russian Federation [wikipedia]

I found a useful online tool that will convert the domain punycode into it’s Cyrillic form at mct.verisign-grs.com
In this case xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai converts to форум.ооои-брс[.]рф and appears to be a legitimate site that has been compromised.

  • .jar (CVE-2013-1493): xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?f=s&k=5567341519056311
  • payload: xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai/cache/previousSkinFiles/ms/css/a06e36d95f/?f=sm_main.mp3&k=5567341519056322

*Several requests for app.jnlp were observed but they were met with 404’s, possibly a misconfiguration as they were requested from news.sonomaportal[.]com. In this case they would have been ineffective as I was using JRE 6.24.

thmm-404

Note binary payload disguised as audio/mpeg content type.

thmm-payload

Shortly after the payload was delivered, traffic to known ZeroAccess CnC at 85.114.128.127 was observed.

VirusTotal:
.jar:
https://www.virustotal.com/en/file/78ebd63a0eb3a22b2dd17425b366e2e67a8b667e5bf598afc946d5818969a9b8/analysis/1381485925/

payload:
https://www.virustotal.com/en/file/fe73e53a7136898bdc9f453b22aa43d18ff933131709eed9c515a66e8bbf488a/analysis/1381485857/

At the time of this encounter ecolup.biz resolved to 103.31.186.81.
Passive DNS show a few other suspect domains with that IP.

xn--l1adgmc.xn—-btbtxaari[.]xn--p1ai (форум.ооои-брс[.]рф) resolved to 46.36.217.130.