Looking inside this script, we find some really interesting results. Inside the script a big chunk of code is obfuscated with a permutative encoding algorithm.
After deobfuscation the malicious iFrame code looks like this:
A code block inside the iFrame redirects us to the
latest version of the Blackhole Nuclear Pack exploit kit.
At the next stage of the exploitation process, the malicious java applet at hxxp://094t8g.qktsnwukvi.webhop.net//images/274e0118278c38ab7f4ef5f98b71d9dc.jar (Java/Exploit.CVE-2012-0507.J) uses these parameters for decoding an URL with executable file payload. Without this parameter, the URL can’t be decoded and the attacker can’t follow every step of theattack.
The structure of objects in a Java/Exploit.CVE-2012-0507.J sample looks like this:
The special parameter needed for decoding the URL (hxxp://094t8g.qktsnwukvi.webhop.net/server_privileges.php?7e9f0e75503391ed492e5abe22e1989e=2) serving the payload (in this case it was Win32/TrojanDownloader.Carberp.AH) is found in the method MyStart(String paramString) for the decoding algorithm.
Attackers search for ways to extend the lifetime of each obfuscation iteration or each infection of a legitimate website. It’s a natural evolution for drive-by download attacks to include malicious code employing proactive techniques for detectign real user activity and bypassing malware collecting systems.
All malicious domains at the time of publication are hosted in the network belonging to Leksim Ltd/RELNET-NET AS5577.
It’s not the first time this hosting provider has been involved in such activities and in April last year we were already seeing incidents originating from this network.
Here’s a list of the more active domains over 24 hours:
(1) Aleks reports:
On April 3rd IP’s with Blackhole migrated on the latest version of Nuclear Pack.
GET hxxp://dx6ts.yfwumdwyei.is-a-hunter.com/g/3854063525500425.js 188.8.131.52
GET hxxp://yfwumdwyei.is-a-hunter.com/main.php?page=4f086f0830a83d5f 184.108.40.206 [Blackhole]
GET hxxp://094t8g.qktsnwukvi.webhop.net/g/017432546059324.js 220.127.116.11
GET hxxp://qktsnwukvi.webhop.net/main.php?page=4f086f0830a83d5f 18.104.22.168 [Blackhole]
GET hxxp://pqiyoc.qktsnwukvi.webhop.net/g/697079368134578.js 22.214.171.124
GET hxxp://094t8g.qktsnwukvi.webhop.net/server_privileges.php?e843aac68e6c4d6126926e60a1781536=2 126.96.36.199 [Nuclear Pack]
(2) Steve Burn points out that AS5577 is actually Root eSolutions/Root SA: Leksim is one of their customers. A post at http://hphosts.blogspot.co.uk/2009/11/crimeware-friendly-isps-root-esolutions.html refers.
[Further update: there's a useful report of a major Nuclear Pack-related incident from Fox-IT at http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/. However, in the case that Aleksandr has been looking at, there's an updated version that includes Java/Exploit.CVE-2012-0507.]
[Update: it turns out that it’s not Blackhole, but Nuclear Pack Version 2.0. Our apologies for the confusion. I’m hoping we’ll have more information for you shortly.]
Leave a reply