FlashPack Exploit Kit Analysis – Part 1

Version imprimable, PDF et e-mail

Last week I wrote about the low rate of initial AV detections by referencing drive-by download-served malware produced from a visit to Indowebster[.]com, an Alexa top-ranked website. In this and next week's posts, I cover some highlights of the software used to facilitate the drive-by campaign. To begin, below is the set of redirects that began with a visit to the index page of Indowebster and ended with the retrieval of the malware executable.

-> hxxp://www[.]indowebster[.]com
–> hxxp://www[.]nyunyu[.]com/embed/idws2.php
—> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/index.php?o=bWdl<…>
—-> hxxp://8k930v312odrz23bvy11otj629153efc2d1663f040eb9b5094b89713[.]full-potencja[.]pl/index2.php
—–> hxxp://8k930v312odrz23bvy11otj.full-potencja.pl/kafecodes/pappalldy/mintelext.php
——> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/kafecodes/pappalldy/sarmholsterthenc.php
——-> hxxp://8k930v312odrz23bvy11otj[.]full-potencja[.]pl/kafecodes/pappalldy/lodyoathsk.php

In the above chain, Nyunyu[.]com is itself a popular website that normally provides content presented on the front page of Indowebster. However, in this case, the URL redirected to an instance of the FlashPack (or SafePack) exploit kit. The FlashPack instance in turn served a series of obfuscated JavaScript files, which comprise the remainder of the chain. The first two pages (index.php and index2.php) both redirect to Base64-obfuscated URLs via the setTimeout method, which may represent attempts to evade real-time URL analysis systems; the corresponding code excerpts are as follows.

index.php: setTimeout ( function() { location.replace( b64dc(str) ); }, 292);
index2.php: setTimeout(function() { document.body.insertBefore(wfhlc,document.body.lastChild); }, 803);

The second redirection above results in a request for mintelext.php, which contains hex-encoded, RC4 encrypted JavaScript; a code excerpt is as follows.

mintelext.php: (this)[‘eval'](rc4(‘OrbitWhite',hex2bin('50dadd52ab27aad68cb89ccd<…>')));

Deobfuscating mintelext.php reveals the central component of the kit that facilitates delivery of an exploit cocktail targeting both the browser and its plugins. For discussion of the nine software vulnerabilities this instance of FlashPack was capable of targeting and the conclusion of the analysis, visit Barracuda Labs this time next week!

Thanks to Kafeine of Malware Don't Need Coffee for exploit kit identification help.

Remonter en haut de page