Magnitude Exploit kit delivering Fake AV and ZeroAccess to visitors of waverunnersfastpitch[.]net

waverunners

 

Coming from a seach engine, the inital redirect via Javascript top.location.href (or document.location if that fails) leads to: dueksmpkquu.3innersim[.]info/?50af09f99a5c9545d7d541015a96fd97=20

waverunners-redirect

 

Exploits:

  • .eot: /03bd1ddab41e274487db56386e64e80c.eot
  • .swf (404’d): /ea1b77cdafe0b1b1ff13b2796a74d113/1a66ae7141177bc9da4a857858ebbcd6.swf
  • unknown (404’d): /ea1b77cdafe0b1b1ff13b2796a74d113/ee6ca4fe68ea5cf5a20ca69ac108c612
  • .jar: /ea1b77cdafe0b1b1ff13b2796a74d113/3b9eb2b97478358060019bd2bb59f7ec

Payloads:

  • (note Content-Type:  text/html) 95.211.158.225 /?8663798f8bf29b7806df3ee0dc142a02
  • unknown via Java (404’d): /ea1b77cdafe0b1b1ff13b2796a74d113/c4d3c9da128e4abe1083fef8534f1c44
  • encoded, via java: dueksmpkquu.3innersim[.]info/ea1b77cdafe0b1b1ff13b2796a74d113/0
  • encoded, via java: dueksmpkquu.3innersim[.]info/ea1b77cdafe0b1b1ff13b2796a74d113/1
  • encoded, via java: dueksmpkquu.3innersim[.]info/ea1b77cdafe0b1b1ff13b2796a74d113/3
  • encoded, via java: dueksmpkquu.3innersim[.]info/ea1b77cdafe0b1b1ff13b2796a74d113/4

8663798f8bf29b7806df3ee0dc142a02-payload

Geolocation using j.maxmind.com followed by Zeroaccess CnC at 85.114.128.127 observed shortly after payloads are delivered.
Also observed the following requests with fake user agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

  • twinkcam[.]net/images/s.php?id=238
  • cinnamyn[.]com/images/s.php?id=238

At the time of this encounter dueksmpkquu.3innersim[.]info was at IP 95.211.158.225

For more information regarding “Internet Security” fake AV I recommend the following excellent posts:

VirusTotal:
03bd1ddab41e274487db56386e64e80c.eot:
https://www.virustotal.com/en/file/12a4caf1c5edc6587c5f9dab1e5b5bcc3e82aaf40c68b09629380579511b2d39/analysis/1383075954/

3b9eb2b97478358060019bd2bb59f7ec.jar:
https://www.virustotal.com/en/file/a12523a622a8daac152deafc6b98936bd6263d5969c693aa25e38181fffd932e/analysis/1383076085/

8663798f8bf29b7806df3ee0dc142a02:
https://www.virustotal.com/en/file/d2b1ae1fbcced9d87f318fa3a3855e22f0e7eccac93a62818528740999b5ede3/analysis/1383076165/