Malware-serving theaters for your android phones - Part 1

Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater's official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player. I laughed loudly and showed them to my (again, totally non-nerd) friends saying that the site had been owned. One of them went on and opened the site with her own phone (Samsung Galaxy S Advance with Android 4.4.1 and the default Android WebKit browser). To make a long story short, after a few instants her phone was downloading a file without even asking her for confirmation. So: Chrome on my Nexus 4 was using social engineering to have me click on a link and manually download the file; Android's WebKit on her Galaxy S Advance was instead downloading the file straight away: interesting! However, we were a bit late and we had to run for the comedy, so I did not even bother to see what the heck she had downloaded, I only made sure she hadn't opened it. I thought it was just the usual exploit kit trying to infect PCs by serving fake Flash Player updates, seen tons of those. While waiting for the comedy to begin, I quickly submitted the compromised site to three different services, the first three ones that came to my mind: HoneyProxy Client, Wepawet and Unmask Parasites, then turned off my phone and enjoyed the show.

The day after, I decided to spend some minutes analyzing that exploit kit (you know, just in case...). First of all, the compromised site was made with Joomla 1.7, an older release that has a quite long list of security updates in its short history (http://docs.joomla.org/Joomla_1.7_version_history) and is now deprecated in favor of Joomla 2.5. I wish I had access to that web server's logs, those would be quite funny!

However, looking at the source code of the compromised pages, I saw that the malicious javascript was injected at the very beginning of the page, as shown here.

As you can see (even if the image is cropped), the JavaScript is composed by two main IF clauses. The first one checks whether the User-Agent string may indicate a robot, in which case nothing is done; instead, if this looks like a real browser, the code calls a function that creates an iframe pointing to "novostivkontakte.ru /?id=ifrm" and adds it to the page. Then, if the User-Agent string indicates this might be a mobile phone, the second IF clause also tries to use some basic JavaScript functions to trigger a full-page redirection to the same URL, but passing in a different parameter: "/?id=mob". Uhm, sounds interesting: an exploit kit with some code specific to mobile phones, I had never seen that but maybe it's only because lately I had been working on other topics.

I reported the breach to the site owners right after finishing the analysis, on December 30 and they answered on December 31 saying they would clean it as soon as possible. This afternoon (January 7) I checked and the site was clean, but tonight it's compromised again, so it looks like the owners did not patch the vulnerability, and the exploit is probably being spread in a mechanized way and a quick Google search seems to confirm this hypothesis, as the malicious code was injected in more than 82,100 different pages, and those are probably only the ones that did not get compromised since the inject failed and the javascript code is showing up as text instead of being executed (see here).

Well, after that, I looked at the results of the three scans I had ran the night before. To my surprise, there was almost nothing in them:

  1. HoneyProxy Client did show a connection towards "novostivkontakte.ru" which was creating an iframe pointing to "ietoolah.somenotess.com:8000" which contained some obfuscated javascript, however no exploit was run or, at least, no interesting file (PE EXE, PDF, SWF or the like) was downloaded;
  2. Wepawet died on me several times while trying to run it, so I gave it up;
  3. Unmask Parasites was tagging the site as suspicious as it had found some javascript code outside the proper <script> tags.

And that was all. So, I decided to run the site through Thug with the default personality (winxpie60) and - man! - that was deceiving! Nothing found. Absolutely nothing. Not even a single tiny call to a .ru domain or anything of the like. The only external site was www.facebook.com, which was a legitimate content of the theater's site.

Fortunately, Thug's author Angelo "Buffer" Dell'Aera (our Boss, our Leader, our Shining Star) was wise enough to provide his wonderful tool with an awesome set of different personalities: if the exploit kit did not like Internet Explorer 6, maybe I may fool it with a Galaxy S II with Google Chrome 18 and Android 4.0.3, since it was checking for mobile phones. Guess what, that did the trick! This time, after a few seconds, Thug got redirected to "novostivkontakte.ru", which in turn pointed to "raykola.net", then to "real-chudo.ru" and "klub0-raduga.ru", from which three different APKs were downloaded.

For those interested, this is a small excerpt of Thug's JSON logs:

"connections": [
{
"source": "hxxp:// www.[compromised_site].com /",
"destination": "hxxp:// novostivkontakte.ru /?id=mob",
"flags": {},
"method": "href"
},
{
"source": "hxxp:// www.[compromised_site].com /",
"destination": "hxxp:// novostivkontakte.ru /?id=mob",
"flags": {},
"method": "window open"
},
{
"source": "hxxp:// novostivkontakte.ru /?id=mob",
"destination": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9/",
"flags": {},
"method": "meta"
},
{
"source": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9/",
"destination": "hxxp:// real-chudo.ru /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9%2F",
"flags": {},
"method": "http-redirect"
},
{
"source": "hxxp:// real-chudo.ru /tmpsrc/d586495364701f9ec770e3b9df2df318/video.apk",
"destination": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9/",
"flags": {},
"method": "window open"
},
{
"source": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9/",
"destination": "hxxp:// klub0-raduga.ru /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9%2F",
"flags": {},
"method": "http-redirect"
},
{
"source": "hxxp:// real-chudo.ru /tmpsrc/d586495364701f9ec770e3b9df2df318/video.apk",
"destination": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9",
"flags": {},
"method": "href"
},
{
"source": "hxxp:// real-chudo.ru /tmpsrc/d586495364701f9ec770e3b9df2df318/video.apk",
"destination": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9",
"flags": {},
"method": "window open"
},
{
"source": "hxxp:// raykola.net /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9",
"destination": "hxxp:// klub0-raduga.ru /lpadultbill/d.php?id=u7be70c982f0a1226ae890bc4d7e3dfe9",
"flags": {},
"method": "http-redirect"
}
]

The same result could be achieved by selecting the iPad personality (ipadsafari7) or any other Android one (galaxy2chrome18, galaxy2chrome25, galaxy2chrome29), so it looks like the Exploit Kit is not really making any difference between the actual operating system run by your phone, it's always serving you an Android app.

The three APK files are actually the same app, with three different small changes in their configuration to talk to three different Command&Control servers, but we'll talk about this in a later post. For now, we'll only say they're all three named "video.apk" and that their MD5 sums are 10859e82697955eb2561822e14460463, 91f302fd7c2d1b8fb54248ea128d19e0 and f6ad9ced69913916038f5bb94433848d.

To sum up things, in this post we've seen about a peculiar Exploit Kit that's being actively spread by some mechanized mean and has already compromised several thousands sites. The exploit kit is behaving in a quite peculiar way as it seems to have been designed with special attention to mobile users (that are currently the only ones that get infected by it), and it's distributing some malicious APKs that are (more or less) well recognized by AV vendors on VirusTotal (23/47). Last but not least, Angelo "Buffer" Dell'Aera confirmed that it's the first time he's seen APKs being distributed that way by an exploit kit, and - to his pride - Thug is able to get them all!

Stay tuned for some further analysis of those APKs by my friend and fellow Sysenter Chapter contributor Andrea De Pasquale!

----

January 12, 2014 Update: Even if my original entry point (the theatre's web site) has now been cleaned, the exploit kit is still online and, since January 8, it's using a different domain to serve the APK files. The whole chain is now:

[infected site] --> novostivkontakte.ru --> raykola.net --> luchikmail.ru

They also changed the EK's code to better filter the User-Agent strings: now you only get redirected to the APKs if you give a true Android User-Agent; if you give an iPad User-Agent you get redirected to the domain "vk.com" where essentially nothing happens (at least for now).

To know more about the served APKs, here's two interesting posts you may want to read: