2016-02-06 – TRAFFIC ANALYSIS EXERCISE – NETWORK ALERTS AT CUPID’S ARROW ONLINE

Scenario:

You recently hired on as a security analyst for Cupid’s Arrow Online, the largest online retailer for novelty arrows world-wide.

Unfortunately, it’s after normal work hours, and you’re the only person reviewing network events. You silently curse your coworker Sven, who called in sick this evening. Maybe it’s for the best, though. Strange things tend to happen whenever Sven is around.

Later, you see alerts on suspicious activity. Time to investigate!

You identify the IP address and pull the associated traffic, along with the Snort and Suricata event logs. You were already examining some malicious emails that made it through the spam filter, so you have those items on hand. Finally, you retrieved a list of people on the network during the timeframe of these alerts (you might have to contact them about this activity).

We are given the 2 alert logs, List of employees online, traffic capture , and the 7 suspect emails.

The events:

Since we were already working on the emails lets start with the information retrieved from those.

092704-UTC
“Tsutsumi, Maki”,maki.tsutsumi,Network Security Engineer,mtsutsumi@cupidsarrowonline[.]com,555-4405
Malware Links:
http://kyocerachannelevent%5B.%5Dcom/wp-content/plugins/304.exe,
http://inoffsetnhatrang%5B.%5Dcom/wp-content/plp://kuriens%5B.%5Dcom/wp-content/plugin304.exe

093413-UTC
“Dekker, Justini H.”,justini.dekker,Finance Director,jdekker@cupidsarrowonline[.]com,555-5189
Malware Links:
http://helloworldqqq%5B.%5Dcom/34.exe
http://wtfisgoinghereff%5B.%5Dcom/34.exe  &nbsp; <— Interesting

114238-UTC
“Munro, Shane I.”,shane.munro,Help Desk Technician,smunro@cupidsarrowonline[.]com,555-2975
Malware Links:
(http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns1.jpg&#8221;, “5174935.exe”, 1)
(http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns2.jpg&#8221;, “9274935.exe”, 1);
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns3.jpg&#8221;, “1354869.exe”, 1);

133037-UTC
for <mtraugott@cupidsarrowonline[.]com>  <—”for” instead of “To:”
“Traugott, Matthias Y.”,matthias.traugott,Applicaion Support Engineer,mtraugott@cupidsarrowonline[.]com,555-1484
MalwareLinks:
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns1.jpg&#8221;, “5174935.exe”, 1);
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns2.jpg&#8221;, “9274935.exe”, 1);
(“http://frisesctro%5B.%5Dcom/img/script%5B.%5Dphp?bqmns3.jpg&#8221;,”1354869.exe”, 1);

 

134027-UTC
“Munro, Shane I.”,shane.munro,Help Desk Technician,smunro@cupidsarrowonline[.]com,555-2975
Malware Links:
http://wolftonesmusic%5B.%5Dcom/wp-content/plugins/304.exe
http://yevsey-tseytlin%5B.%5Dcom/wp-content/plugins/304.exe
http://zenyfood%5B.%5Dfr/wp-content/plugins/304.exe
http://visioni%5B.%5Din/wp-content/plugins/304.exe
http://wormswood%5B.%5Dcom/wp-content/plugins/304.exe
http://wrkdesigns%5B.%5Dcom/wp-content/plugins/304.exe&#8217;

182342-UTC
“Dekker, Justini H.”,justini.dekker,Finance Director,jdekker@cupidsarrowonline[.]com,555-5189
Malware Links:
http://g6series%5B.%5Dcom/wp-content/plugins/304.exe,
http://funkyweb%5B.%5Dfr/wp-content/plugins/304.exe,
http://formativamente%5B.%5Dit/wp-content/plugins/304.exe,
http://fxme%5B.%5Deu/wp-content/plugins/304.exe,
http://gesvilla%5B.%5Dcom/wp-content/plugins/304.exe

182343-UTC
“Ulyanova, Cleo C.”,cleo.ulyanova,System Administrator,culyanova@cupidsarrowonline[.]com,555-8544
Malware Links:
http://enzymebiosystems%5B.%5Dcom/wp-content/plugins/304.exe,
http://datla%5B.%5Dinfo/wp-content/plugins/304.exe,
http://elenasuleymanova%5B.%5Dcom/wp-content/plugins/304.exe,
http://estelalcaraz%5B.%5Dcom/wp-content/plugins/304.exe,
http://daughterofisrael%5B.%5Dorg/wp-content/plugins/304.exe

 

Above we see the names of the users associated with the emails and the locations that the embedded malware was looking for.

If we look at the alert logs we see pretty much every alert is for 10.41.245.114

Name: DEKKER-PC<00> (Workstation/Redirector)

MAC: 00:17:31:7d:52:ba

IP: 10.41.245.114

If we put a filter in Wireshark of  “!(ip.addr eq 10.41.245.114)” we can filter out the traffic for the known infected host to see if anymore were there. There wasn’t.

Looking at the links from the malware in the emails, none show up in the network traffic.

Also while looking at the emails we see something strange.

Email-c

What is wrong with this picture ?

If you said the “To:” field you would be right. So what is causing the problem ?

emailcomp-b

As we can see here this email was either tampered with or created using a program that had a problem. If we remove the extra spaces and change “for” to “To:” we now get this.

HeaderRepaird-c

 

After Seeing that the traffic and alerts all belong to the DEKKER-PC we go back and verify the links in the malware extracted from the emails, and that there are no embed links in the email that will direct him to a malware download.

So how the heck did he get infected ? Back to the alert logs.

If we look at the snort log we see this.

log1

This is hard to see like this but at the top there is an alert 02/05-21:28:20.878878 for Attempted User Privilege Gain.

The first part of that script is checking user agent strings.

One of the next alert is for “Sensitive Data”. In fact when located, it is a script for “user like”. This is starting to look like they clicked on that they ‘Liked” something.

FBLike

Above is the source it comes from.

Next is a DNS query for bsbkxs.zdxwx3m[.]pw then we land on the page that redirects to the Angler exploit kit.

Finally the last item in the screen shot is the alert for the angler exploit kit page. Below.

AnglerEKPNG

It is defiantly very distinctive.

After looking at the traffic and malware sites the chain of infection can best be followed by looking at the DNS request.

 

DNS-Chain-c

 

The comments in between are for DNS query’s that are not shown, just my thoughts at the time.

From this we see that the user logged into Yahoo Mail , next they clicked on an ad for German Coffee then clicked on an ad for  a Site in German that translates to 

“Promotional products, promotional advertising gifts”

While viewing this site (www.source-werbeartikel[.]com   213.174.33.141 ) they clicked the “Like” button which triggered the the malware along with opening Facebook to record their star rating.

While on Facebook they appeared to click and view a few more items and “Liking” one other page.

On the Malware side:

When clicking the Like button it triggers the embeded flash item.
See screenshot above or the source code.

After clicking on the Like button they landed at  (lsbery[.]tk 85.93.0.32 )

Full request URI: http: //lsbery[.]tk/shop.php?sid=4046AAB187AB2C1563B214BE7AC6702950B304E2E9E1696E18244B8501B268FD92DA0D313D2273E24C283B

From here it opens a flash file  (x-flash-version: 15,0,0,189) from the above link

Create a new page and redirects to (http:// bsbkxs.zdxwx3m[.]pw/civis/index.php?PHPSESSID=3.b7&action=714324p02212u2q4548f8)

This is the Angler EK Landing page.

Here it does a post of a some form of base 64 encoding string .

Full request URI: http:[//]bsbkxs.zdxwx3m.pw/civis/so[.]cpg?directly=-pf&commission=&important=n0IP&color=xMZn&and=&analysis=doL0EY
&hundred=nJBKRWWP4&name=Xe5tZx&any=bMXK&certain=aWh-AJtz7&rather=PEd

It also calls out to

Full request URI: http:[//]bsbkxs.zdxwx3m[.]pw/charge.zhtml?dead=sVShjH&society=KgXs1bcH&level=O29Gm9T3&go=VdL&
once=XN3S3cuYQ&way=Z41t&nothing=sTJVXv7X&art=Jw

This request resulted in a Malformed Packet.

The next response is yet another Flash file Download. ( x-flash-version: 15,0,0,189)

That finally leads us to.

Full request URI: http:[//]bsbkxs.zdxwx3m[.]pw/today.jst?technical=_MNsOrB&captain=&something=gxPx-&own=&themselves=T_wh7g5&eye=l3_LBg&citizen=zdelxIDGFLQvZFA8KbsEuiX

This in turn  downloads an encrypted file which should be the final payload.

As of the writing I have not been able to acquire the malware payload in the decrypted form.

Wireshark Filters:

Using the following filters we can quickly filter down to the affected traffic for each site.

ip.addr eq 213.174.33.141 and (http.request or http.response)   source-werbeartikel.com
ip.addr eq 85.93.0.32 and (http.request or http.response)       lsbery.tk
ip.addr eq 86.106.93.167 and (http.request or http.response)    bsbkxs.zdxwx3m.pw
See what they Read
ip.addr eq 128.183.114.107 and (http.request or http.response)  nssdc.gsfc.nasa.gov

Recommendations:

Follow up with the recipients of the spam email to make sure they didn’t open and run them by accident. (Like, um , I did Winking smile)

Follow up with the User, Dekker, Justini H to verify the extent of the infection and find out what was run on the system.

Warn user about clicking “Like” on unknown pages.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Computer, Malware, Networking, security and tagged , . Bookmark the permalink.