The Stegano exploit kit is used by attackers to compromise users.
ESET specialists discovered that millions of visitors to popular news websites were targeted by several malicious ads that specialized in redirecting users to a set of exploits. This exploit kit was used to compromise users of malware with Flash Player exploits.
Starting at least since October of this year, users may have come across ads advertising such applications as Browser Defense and Broxu. Below are the banners of these ads that were used to display on websites.
')
These banner ads were stored on remote domains with the names hxxps: //browser-defence.com and hxxps: //broxu.com.
It is interesting to note that without any action from the user, the initial script of the web page reported information about the system of the potential victim to the remote server of the attackers. After receiving this information, the server decided which banner image should be provided to the client - a regular image or its malicious counterpart.
The malicious version of the banner image incorporates an encrypted script located in the alpha channel of the RGB image. This alpha channel sets the transparency of each pixel. Since this change does not greatly affect the appearance of the image, it only slightly differs from its original version.
The script, encoded in such an unusual way, exploits a vulnerability in Internet Explorer with the identifier CVE-2016-0162, and also checks its execution environment for detecting a virtual environment.
In the event that the script does not detect signs that analysts are trying to track its activity, it redirects the user to the landing page of the Stegano exploit kit using the TinyURL service. The landing page attempts to play a Flash file that specializes in exploiting the three vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on which version of Flash Player is installed on the system.
After successful exploitation of the vulnerability, the executable shell code collects information about security products installed in the system, and also once again checks the environment in which the code is executed. If the necessary conditions are met, the shellcode attempts to download the encrypted payload from the same server. The payload is also masked as a GIF image.
The payload is then decrypted and launched using regsvr32.exe or rundll32.exe. As a payload, we observed backdoors, banker trojans, password hijackers, and various bootloader trojans.
We have already observed an earlier version of this set of cyber attacks on Dutch users. In the spring of 2015, cybercriminals specialized in compromising Czech users, and now turned their attention to Canada, the UK, Australia, Spain, and Italy.
In earlier campaigns, attackers attempted to disguise their malicious activity in the form of advertising. At the same time, a set of exploits used domain names that began with the name βadsβ, as well as URI names that contained watch.flv, media.flv, delivery.flv, player.flv, or mediaplayer.flv.
In the course of today's cyber attacks, the attackers improved their tactics, they began to use ad networks that they had compromised, which redirected users from different countries to a set of exploits.
A feature of current campaigns was the fact that the attackers used such popular exploit kits as Angler and Neutrino to a lesser extent than the Stegano exploit kit. The number of referrals to Stegano from websites with malicious banners was higher than in the case of Angler and Neutrino.
We observed that large legitimate websites, including news sites with millions of people every day, were hosting these malicious banners.
In the vast majority of cases, advertisements specialized in promoting a product called "Browser Defense." Not so long ago, we found banners promoting software called Broxu. However, for simplicity of perception, we will focus on the consideration of the malicious campaign "Browser Defense". In addition, both campaigns are almost identical in their properties.
The ad was located on browser-defence.com with a URI format similar to the following.
hxxps: //browser-defence.com/ads/s/index.html? w = 160 & h = 600
The index.html document loads the countly.min.js script and gives it the initial parameters when executing. This script, however, does not constitute a library for working with the stock market platform and open source web analytics. Attackers use a heavily modified and obfuscated version of this library, from which certain code has been removed and a new one inserted. This new code is responsible for the initial verification of the environment. Then the information about the environment is sent to the remote server as parameters of the gif file, which are encrypted using XOR. Information about this is shown in the screenshot above.
The following information about the environment is sent to the remote server.
systemLocale ^ screenResolution ^ GMT offset ^ Date ^ userAgent ^ pixelRatio
After that, the script requests the ad banner from the server. The server may respond either with a normal version of the banner image or with a malicious one, depending on the information about the environment in which it was launched. Then the script tries to load the banner and read the information of its RGBA structure. In the event that a malicious version of the script is received, it will decode the JavaScript code and some variables from the alpha channel of the image.
In this case, steganography is implemented as follows: two consecutive alpha values ββrepresent tens and units of code symbols encoded as a difference of 255 (full alpha). In addition, to mask changes that can be detected with the naked eye, the difference is minimized using offset 32.
For example, if the original few alpha bytes contained the values ββ239, 253, 237, 243, 239, 237, 241, 239, 237, 245, 239, 247, 239, 235, 239, and 237, they would be decoded into the word "function" (function). In this example, the first bytes of the alpha value 239 and 253 correspond to the character 'f'.
A closer look at one of the blank banners and its malicious counterpart can show a slight difference.
(from left to right: clean image, malicious counterpart, enhanced malicious counterpart for masking)
The alpha channel of unused pixels is filled with some pseudo-random values ββin order to do so-called. "Alpha noise" evenly distributed, which enhances masking. After successful extraction, the script checks the integrity of the JavaScript code and compares the resulting hash with the previously fixed hash value, which is specified at the end of the picture. After that, the script is executed.
After its launch, the script tries to check its execution environment, namely, the web browser and the running OS for the presence of the network packet capture tool, sandbox (sandbox), virtualization software, as well as the presence of installed security products. At the same time, the script code also tries to exploit the vulnerability CVE-2016-0162 in Internet Explorer. It also checks for the presence of various graphics and security drivers in the system for detecting an automated malware analysis system.
In the event that none of the above signs are detected in the system, the script creates an IFRAME (one pixel in size), sets the window.name property of the window, which will be used later. After that, the user is redirected to TinyURL via https. Next, TinyURL redirects the user to the http of the landing page of the set of exploits.
After a successful redirection, the landing page of the exploit checks the UserAgent for compliance with the Internet Explorer web browser, then loads the Flash file and sets the FlashVars settings via an encrypted JSON file. The landing page also acts as an intermediary for Flash and a remote server via ExternalInterface and provides encryption and decryption functions.
The downloadable Flash file contains another Flash file inside it and, as with the Neutrino exploit kit, it contains three different exploits for different versions of Flash Player. In the second stage, the Flash file decrypts FlashVars. It contains a JSON file with a URI for sending the error message, the names of the JS functions for ExternalInterface, the name of the callback function, and some unused data.
{βAβ: β\ / e.gif? Ts = 1743526585 & r = 10 & data =β, βbβ: βdUtβ, βcβ: βhMLβ, βdβ: true, βxβ: β\ / x .gif? ts = 1743526585 & r = 70 & data = β}
Further, it calls JavaScript via ExtelnalInterface.call (), which checks the Flash version and sends this information to the server via the landing page. This is done via the encrypted URI request parameter for the GIF file. The encryption algorithm is quite simple and uses the value of the window.name from the advertisement.
The answer is a GIF image in which the first bytes are discarded, and the rest is decrypted using the same algorithm, and then the control is transferred back to Flash.
The response is a JSON containing the character that indicates the exploit used (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117), the password for the corresponding exploit and the ready shell code with the payload URI.
The shell code is decrypted at the last stage of exploitation of the vulnerability. He is trying to load an encrypted payload into the system, which is again disguised as a GIF image. At the first stage of its execution, the shellcode also checks the environment in which it is executed.
He is particularly interested in checking the presence of the following software.
If one of the above components is detected, the shellcode will not attempt to load the payload. If the payload is received, the first 42 bytes of GIF images are discarded, the remaining data is decrypted and saved to a file using one of the functions listed below.
The payload file itself is launched using the regsvr32.exe or rundll32.exe tools.
We observed in the download of shell-code malicious payload files (Stegano exploit kit) that have the following AV detection of ESET products.
Win32 / TrojanDownloader.Agent.CFH
Win32 / TrojanDownloader.Dagozill.B
Win32 / GenKryptik.KUM
Win32 / Kryptik.DLIF
After analyzing the bootloaders and files with detection of the Kryptik families, we found out that they either contained or downloaded remotely malicious software Ursnif and Ramnit.
Ursnif contains many modules for stealing email credentials, includes a backdoor, keylogger, a tool for creating screenshots and videos, a component of embedding code in web browsers Internet Explerer, Firefox, Chrome and modifying http traffic. It can also steal any file from the infected system. According to information from configuration files that were found in samples of this malware, it is focused on the corporate sector and, especially, on payment services and institutions.
Ramnit is a file virus that was sent to the banking sector. This virus also contains numerous malicious functions, including data theft, screen capture, file execution.
Conclusion
The Stegano exploit kit has been used by intruders since 2014. Its authors have made a lot of efforts to implement several methods to achieve the appropriate level of secrecy. In one of the recent campaigns, we discovered what we had been tracking since the beginning of October 2016. The attackers distributed links to a set of exploits using advertising banners and steganography. At the same time, the authors took care of hiding malicious activity from the eyes of analysts, who can use a special environment for monitoring.
In case of successful operation, victim systems vulnerable to the exploits used are left open for compromise by other malicious programs, including backdoors, spyware and banker trojans.
The malicious actions of the Stegano exploit kit or other exploit kit can be avoided if you regularly update the installed software and OS, and use a reliable anti-virus product.
The presence of the following products on the system is attempting to be detected by the Stegano exploit kit.
The presence of the following drivers and libraries in the system is trying to detect the Stegano exploit kit.
The malware does not address the following lines in its body.
Compromise Indicators (IoC)
The hashes are in SHA1 format.
countly.min.js
24FA6490D207E06F22A67BC261C68F61B082ACF8
Banner code
A57971193B2FFFF1137E083BFACFD694905F1A94
banner.png with Stegano
55309EAE2B826A1409357306125631FDF2513AC5
67799F80CEF4A82A07EFB3698627D7AE7E6101AB
09425B3B8BF71BA12B1B740A001240CD43378A6C
4528736618BBB44A42388522481C1820D8494E37
FE841DF1ACD15E32B4FFC046205CAAFD21ED2AB2
7BE0A9387F8528EC185ACC6B9573233D167DF71B
A5BC07E8E223A0DF3E7B45EEFD69040486E47F27
EC326BA5CD406F656C3B26D4A5319DAA26D4D5FE
3F1A5F624E0E974CAA4F290116CE7908D360E981
33F921C61D02E0758DCB0019C5F37A4D047C9EC7
2FF89048D39BE75F327031F6D308CE1B5A512F73
9A0D9EBC236DF87788E4A3E16400EB8513743233
F36C283B89C9F1B21A4AD3E384F54B0C8E7D417A
17787879D550F11580C74DA1EA36561A270E16F7
9090DB6731A8D49E8B2506087A261D857946A0EB
45B3EE46ADA9C842E65DCF235111AB81EF733F34
F56A878CA094D461BDF0E5E0CECED5B9903DB6E0
6C74A357B932CF27D5634FD88AA593AEF3A77672
0C3C22B8AA461C7DE4D68567EEA4AE3CD8E4D845
5A5A015C378159E6DC3D7978DAD8D04711D997F8
B2473B3658C13831C62A85D1634B035BC7EBD515
9638E1897B748D120149B94D596CEC6A5D547067
0195C8C7B687DD4CBF2578AD3CB13CD2807F25CB
FEC222095ABD62FC7635E2C7FA226903C849C25C
0FCB2B3ED16672A94CD003B4B53181B568E35912
03483E4039839F0807D7BEC08090179E62DBCC60
Landing page of the Stegano exploit kit
67E26597CF1FF35E4B8300BF181C84015F9D1134
CD46CEE45F2FC982FBA7C4D246D3A1D58D13ED4A
191FFA6EB2C33A56E750BFFEFFE169B0D9E4BBE4
4B2F4C20CC9294F103319938F37C99C0DE7B4932
3FCEA1AFDA9888400D8DE5A232E4BF1E50D3380F
CA750F492691F4D31A31D8A638CE4A56AF8690D0
1374EE22D99ECFC6D68ADE3ACE833D4000E4705B
6BF1A2B7E8CA44E63E1A801E25189DC0212D71B9
B84AB2D5EAD12C257982386BC39F18532BF6939E
476A0455044B9111BDA42CDB7F4EA4E76AA7AB2D
0C1CA7D9C7E4B26A433946A6495782630EF6FD18
29B6DD92FBDF6070B171C38B1D3CA374F66E4B66
89DA7E7A88F9B6CBBFAF7F229BFEA8767220C831
CEE32C8E45A59D3084D832A9E6500AE44F75F7B5
A152AB43BEDCD8F6B7BFB67249C5599CF663D050
3AC722AC0D4764545A3E8A6DF02059C8A164CA17
25E0474E4F8D7D3053278B45A9C24380275B4705
35FB5F3C2957B4525A0330427397915AEEFDDD91
19EEE9745E25194DD573423C6DB0F5AF5D8CFE1D
E88B2B7A08322738C74B29C4CA538741F85A0B7F
A388A2A241339489685CB4AD22EBA9E04B72CD67
Flash files
BADAE04BFF7AFD890C3275E0434F174C6706C2C6
6EF95ACB8AA14D3BA8F1B3C147B7FB0A9DA579A2
10840AEB8342A26DFC68E0E706B36AC2B5A0D5B2
093B25B04FE21185BFEEAFD48F712942D3A3F0C6
C680734AF8670895F961C951A3629B5BC64EFE8E
EEDBBB65A441979974592343C6CA71C90CC2550F
DE288CADE8EE3F13D44719796A5896D88D379A1E
9488CDBB242BE50DF3D20B12F589AF2E39080882
B664365FC8C0B93F6A992C44D11F44DD091426DD
7557B5D987F0236FF838CD3AF05663EFA98EBC56
24B7933A8A8F6ED50FBAF2A5021EF47CE614A46F
11BA8B354001900ED79C43EA858F1BC732961097
Sample URLs
TinyURL.com
/ jf67ejb
/ jqp7efh
/ j56ks2b
/ gplnhvm
/ gwwltaf
/ hgnsysa
/ hvfnohs
Landing page of the Stegano exploit kit
hxxp: //conce.republicoftaste.com/urq5kb7mnimqz/3dyv72cqtwjbgf5e89hyqryq5zu60_os24kfs1j3u_i
hxxp: //compe.quincephotographyvideo.com/kil5mrm1z0t-ytwgvx/g7fjx4_caz9
hxxp: //ntion.atheist-tees.com/v2mit3j_fz0cx172oab_eys6940_rgloynan40mfqju6183a9a4kn/f
hxxp: //entat.usedmachinetools.co/6yg1vl0q15zr6hn780pu43fwm5297itxgd19rh54-3juc2xz1t-oes5bh
hxxp: //connt.modusinrebus.net/34v-87d0u3
hxxp: //ainab.photographyquincemiami.com/w2juxekry8h9votrvb3-k72wiogn2yq2f3it5d17/j9r
hxxp: //rated.republicoftaste.com/6t8os/lv-pne1_dshrmqgx-8zl8wd2v5h5m26m_w_zqwzq
hxxp: //rence.backstageteeshirts.com/qen5sy/6hjyrw79zr2zokq1t4dpl276ta8h8-/3sf9jlfcu0v7daixie_do6zb843/z7
Starting at least since October of this year, users may have come across ads advertising such applications as Browser Defense and Broxu. Below are the banners of these ads that were used to display on websites.
')
These banner ads were stored on remote domains with the names hxxps: //browser-defence.com and hxxps: //broxu.com.
It is interesting to note that without any action from the user, the initial script of the web page reported information about the system of the potential victim to the remote server of the attackers. After receiving this information, the server decided which banner image should be provided to the client - a regular image or its malicious counterpart.
The malicious version of the banner image incorporates an encrypted script located in the alpha channel of the RGB image. This alpha channel sets the transparency of each pixel. Since this change does not greatly affect the appearance of the image, it only slightly differs from its original version.
The script, encoded in such an unusual way, exploits a vulnerability in Internet Explorer with the identifier CVE-2016-0162, and also checks its execution environment for detecting a virtual environment.
In the event that the script does not detect signs that analysts are trying to track its activity, it redirects the user to the landing page of the Stegano exploit kit using the TinyURL service. The landing page attempts to play a Flash file that specializes in exploiting the three vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on which version of Flash Player is installed on the system.
After successful exploitation of the vulnerability, the executable shell code collects information about security products installed in the system, and also once again checks the environment in which the code is executed. If the necessary conditions are met, the shellcode attempts to download the encrypted payload from the same server. The payload is also masked as a GIF image.
The payload is then decrypted and launched using regsvr32.exe or rundll32.exe. As a payload, we observed backdoors, banker trojans, password hijackers, and various bootloader trojans.
We have already observed an earlier version of this set of cyber attacks on Dutch users. In the spring of 2015, cybercriminals specialized in compromising Czech users, and now turned their attention to Canada, the UK, Australia, Spain, and Italy.
In earlier campaigns, attackers attempted to disguise their malicious activity in the form of advertising. At the same time, a set of exploits used domain names that began with the name βadsβ, as well as URI names that contained watch.flv, media.flv, delivery.flv, player.flv, or mediaplayer.flv.
In the course of today's cyber attacks, the attackers improved their tactics, they began to use ad networks that they had compromised, which redirected users from different countries to a set of exploits.
A feature of current campaigns was the fact that the attackers used such popular exploit kits as Angler and Neutrino to a lesser extent than the Stegano exploit kit. The number of referrals to Stegano from websites with malicious banners was higher than in the case of Angler and Neutrino.
We observed that large legitimate websites, including news sites with millions of people every day, were hosting these malicious banners.
In the vast majority of cases, advertisements specialized in promoting a product called "Browser Defense." Not so long ago, we found banners promoting software called Broxu. However, for simplicity of perception, we will focus on the consideration of the malicious campaign "Browser Defense". In addition, both campaigns are almost identical in their properties.
The ad was located on browser-defence.com with a URI format similar to the following.
hxxps: //browser-defence.com/ads/s/index.html? w = 160 & h = 600
The index.html document loads the countly.min.js script and gives it the initial parameters when executing. This script, however, does not constitute a library for working with the stock market platform and open source web analytics. Attackers use a heavily modified and obfuscated version of this library, from which certain code has been removed and a new one inserted. This new code is responsible for the initial verification of the environment. Then the information about the environment is sent to the remote server as parameters of the gif file, which are encrypted using XOR. Information about this is shown in the screenshot above.
The following information about the environment is sent to the remote server.
systemLocale ^ screenResolution ^ GMT offset ^ Date ^ userAgent ^ pixelRatio
After that, the script requests the ad banner from the server. The server may respond either with a normal version of the banner image or with a malicious one, depending on the information about the environment in which it was launched. Then the script tries to load the banner and read the information of its RGBA structure. In the event that a malicious version of the script is received, it will decode the JavaScript code and some variables from the alpha channel of the image.
In this case, steganography is implemented as follows: two consecutive alpha values ββrepresent tens and units of code symbols encoded as a difference of 255 (full alpha). In addition, to mask changes that can be detected with the naked eye, the difference is minimized using offset 32.
For example, if the original few alpha bytes contained the values ββ239, 253, 237, 243, 239, 237, 241, 239, 237, 245, 239, 247, 239, 235, 239, and 237, they would be decoded into the word "function" (function). In this example, the first bytes of the alpha value 239 and 253 correspond to the character 'f'.
A closer look at one of the blank banners and its malicious counterpart can show a slight difference.
(from left to right: clean image, malicious counterpart, enhanced malicious counterpart for masking)
The alpha channel of unused pixels is filled with some pseudo-random values ββin order to do so-called. "Alpha noise" evenly distributed, which enhances masking. After successful extraction, the script checks the integrity of the JavaScript code and compares the resulting hash with the previously fixed hash value, which is specified at the end of the picture. After that, the script is executed.
After its launch, the script tries to check its execution environment, namely, the web browser and the running OS for the presence of the network packet capture tool, sandbox (sandbox), virtualization software, as well as the presence of installed security products. At the same time, the script code also tries to exploit the vulnerability CVE-2016-0162 in Internet Explorer. It also checks for the presence of various graphics and security drivers in the system for detecting an automated malware analysis system.
In the event that none of the above signs are detected in the system, the script creates an IFRAME (one pixel in size), sets the window.name property of the window, which will be used later. After that, the user is redirected to TinyURL via https. Next, TinyURL redirects the user to the http of the landing page of the set of exploits.
After a successful redirection, the landing page of the exploit checks the UserAgent for compliance with the Internet Explorer web browser, then loads the Flash file and sets the FlashVars settings via an encrypted JSON file. The landing page also acts as an intermediary for Flash and a remote server via ExternalInterface and provides encryption and decryption functions.
The downloadable Flash file contains another Flash file inside it and, as with the Neutrino exploit kit, it contains three different exploits for different versions of Flash Player. In the second stage, the Flash file decrypts FlashVars. It contains a JSON file with a URI for sending the error message, the names of the JS functions for ExternalInterface, the name of the callback function, and some unused data.
{βAβ: β\ / e.gif? Ts = 1743526585 & r = 10 & data =β, βbβ: βdUtβ, βcβ: βhMLβ, βdβ: true, βxβ: β\ / x .gif? ts = 1743526585 & r = 70 & data = β}
Further, it calls JavaScript via ExtelnalInterface.call (), which checks the Flash version and sends this information to the server via the landing page. This is done via the encrypted URI request parameter for the GIF file. The encryption algorithm is quite simple and uses the value of the window.name from the advertisement.
The answer is a GIF image in which the first bytes are discarded, and the rest is decrypted using the same algorithm, and then the control is transferred back to Flash.
The response is a JSON containing the character that indicates the exploit used (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117), the password for the corresponding exploit and the ready shell code with the payload URI.
The shell code is decrypted at the last stage of exploitation of the vulnerability. He is trying to load an encrypted payload into the system, which is again disguised as a GIF image. At the first stage of its execution, the shellcode also checks the environment in which it is executed.
He is particularly interested in checking the presence of the following software.
- vmtoolsd.exe
- VBoxService.exe
- prl_tools_service.exe
- VBoxHook.dll
- SBIEDLL.DLL
- fiddler.exe
- charles.exe
- wireshark.exe
- proxifier.exe
- procexp.exe
- ollydbg.exe
- windbg.exe
- eset *, kasper *, avast *, alwil *, panda *, nano a *, bitdef *, bullgu *, arcabi *, f-secu *, g data *, escan *, trustp *, avg *, sophos *, trend m *, mcafee *, lavaso *, immune *, clamav *, emsiso *, superanti *, avira *, vba32 *, sunbel *, gfi so *, vipre *, microsoft sec *, microsoft ant *, norman *, ikarus * , fortin *, filsec *, k7 com *, ahnlab *, malwareby *, comodo *, symant *, norton *, agnitu *, drweb *, 360 *, quick h
If one of the above components is detected, the shellcode will not attempt to load the payload. If the payload is received, the first 42 bytes of GIF images are discarded, the remaining data is decrypted and saved to a file using one of the functions listed below.
- CreateFile , WriteFile
- CreateUrlCacheEntryA (* google.com β,,,,) , CreateFileA , CreateFileMappingA , MapViewOfFile , {loop of moving bytes}, FlushViewOfFile , UnmapViewOfFile
The payload file itself is launched using the regsvr32.exe or rundll32.exe tools.
We observed in the download of shell-code malicious payload files (Stegano exploit kit) that have the following AV detection of ESET products.
Win32 / TrojanDownloader.Agent.CFH
Win32 / TrojanDownloader.Dagozill.B
Win32 / GenKryptik.KUM
Win32 / Kryptik.DLIF
After analyzing the bootloaders and files with detection of the Kryptik families, we found out that they either contained or downloaded remotely malicious software Ursnif and Ramnit.
Ursnif contains many modules for stealing email credentials, includes a backdoor, keylogger, a tool for creating screenshots and videos, a component of embedding code in web browsers Internet Explerer, Firefox, Chrome and modifying http traffic. It can also steal any file from the infected system. According to information from configuration files that were found in samples of this malware, it is focused on the corporate sector and, especially, on payment services and institutions.
Ramnit is a file virus that was sent to the banking sector. This virus also contains numerous malicious functions, including data theft, screen capture, file execution.
Conclusion
The Stegano exploit kit has been used by intruders since 2014. Its authors have made a lot of efforts to implement several methods to achieve the appropriate level of secrecy. In one of the recent campaigns, we discovered what we had been tracking since the beginning of October 2016. The attackers distributed links to a set of exploits using advertising banners and steganography. At the same time, the authors took care of hiding malicious activity from the eyes of analysts, who can use a special environment for monitoring.
In case of successful operation, victim systems vulnerable to the exploits used are left open for compromise by other malicious programs, including backdoors, spyware and banker trojans.
The malicious actions of the Stegano exploit kit or other exploit kit can be avoided if you regularly update the installed software and OS, and use a reliable anti-virus product.
The presence of the following products on the system is attempting to be detected by the Stegano exploit kit.
The presence of the following drivers and libraries in the system is trying to detect the Stegano exploit kit.
The malware does not address the following lines in its body.
Compromise Indicators (IoC)
The hashes are in SHA1 format.
countly.min.js
24FA6490D207E06F22A67BC261C68F61B082ACF8
Banner code
A57971193B2FFFF1137E083BFACFD694905F1A94
banner.png with Stegano
55309EAE2B826A1409357306125631FDF2513AC5
67799F80CEF4A82A07EFB3698627D7AE7E6101AB
09425B3B8BF71BA12B1B740A001240CD43378A6C
4528736618BBB44A42388522481C1820D8494E37
FE841DF1ACD15E32B4FFC046205CAAFD21ED2AB2
7BE0A9387F8528EC185ACC6B9573233D167DF71B
A5BC07E8E223A0DF3E7B45EEFD69040486E47F27
EC326BA5CD406F656C3B26D4A5319DAA26D4D5FE
3F1A5F624E0E974CAA4F290116CE7908D360E981
33F921C61D02E0758DCB0019C5F37A4D047C9EC7
2FF89048D39BE75F327031F6D308CE1B5A512F73
9A0D9EBC236DF87788E4A3E16400EB8513743233
F36C283B89C9F1B21A4AD3E384F54B0C8E7D417A
17787879D550F11580C74DA1EA36561A270E16F7
9090DB6731A8D49E8B2506087A261D857946A0EB
45B3EE46ADA9C842E65DCF235111AB81EF733F34
F56A878CA094D461BDF0E5E0CECED5B9903DB6E0
6C74A357B932CF27D5634FD88AA593AEF3A77672
0C3C22B8AA461C7DE4D68567EEA4AE3CD8E4D845
5A5A015C378159E6DC3D7978DAD8D04711D997F8
B2473B3658C13831C62A85D1634B035BC7EBD515
9638E1897B748D120149B94D596CEC6A5D547067
0195C8C7B687DD4CBF2578AD3CB13CD2807F25CB
FEC222095ABD62FC7635E2C7FA226903C849C25C
0FCB2B3ED16672A94CD003B4B53181B568E35912
03483E4039839F0807D7BEC08090179E62DBCC60
Landing page of the Stegano exploit kit
67E26597CF1FF35E4B8300BF181C84015F9D1134
CD46CEE45F2FC982FBA7C4D246D3A1D58D13ED4A
191FFA6EB2C33A56E750BFFEFFE169B0D9E4BBE4
4B2F4C20CC9294F103319938F37C99C0DE7B4932
3FCEA1AFDA9888400D8DE5A232E4BF1E50D3380F
CA750F492691F4D31A31D8A638CE4A56AF8690D0
1374EE22D99ECFC6D68ADE3ACE833D4000E4705B
6BF1A2B7E8CA44E63E1A801E25189DC0212D71B9
B84AB2D5EAD12C257982386BC39F18532BF6939E
476A0455044B9111BDA42CDB7F4EA4E76AA7AB2D
0C1CA7D9C7E4B26A433946A6495782630EF6FD18
29B6DD92FBDF6070B171C38B1D3CA374F66E4B66
89DA7E7A88F9B6CBBFAF7F229BFEA8767220C831
CEE32C8E45A59D3084D832A9E6500AE44F75F7B5
A152AB43BEDCD8F6B7BFB67249C5599CF663D050
3AC722AC0D4764545A3E8A6DF02059C8A164CA17
25E0474E4F8D7D3053278B45A9C24380275B4705
35FB5F3C2957B4525A0330427397915AEEFDDD91
19EEE9745E25194DD573423C6DB0F5AF5D8CFE1D
E88B2B7A08322738C74B29C4CA538741F85A0B7F
A388A2A241339489685CB4AD22EBA9E04B72CD67
Flash files
BADAE04BFF7AFD890C3275E0434F174C6706C2C6
6EF95ACB8AA14D3BA8F1B3C147B7FB0A9DA579A2
10840AEB8342A26DFC68E0E706B36AC2B5A0D5B2
093B25B04FE21185BFEEAFD48F712942D3A3F0C6
C680734AF8670895F961C951A3629B5BC64EFE8E
EEDBBB65A441979974592343C6CA71C90CC2550F
DE288CADE8EE3F13D44719796A5896D88D379A1E
9488CDBB242BE50DF3D20B12F589AF2E39080882
B664365FC8C0B93F6A992C44D11F44DD091426DD
7557B5D987F0236FF838CD3AF05663EFA98EBC56
24B7933A8A8F6ED50FBAF2A5021EF47CE614A46F
11BA8B354001900ED79C43EA858F1BC732961097
Sample URLs
TinyURL.com
/ jf67ejb
/ jqp7efh
/ j56ks2b
/ gplnhvm
/ gwwltaf
/ hgnsysa
/ hvfnohs
Landing page of the Stegano exploit kit
hxxp: //conce.republicoftaste.com/urq5kb7mnimqz/3dyv72cqtwjbgf5e89hyqryq5zu60_os24kfs1j3u_i
hxxp: //compe.quincephotographyvideo.com/kil5mrm1z0t-ytwgvx/g7fjx4_caz9
hxxp: //ntion.atheist-tees.com/v2mit3j_fz0cx172oab_eys6940_rgloynan40mfqju6183a9a4kn/f
hxxp: //entat.usedmachinetools.co/6yg1vl0q15zr6hn780pu43fwm5297itxgd19rh54-3juc2xz1t-oes5bh
hxxp: //connt.modusinrebus.net/34v-87d0u3
hxxp: //ainab.photographyquincemiami.com/w2juxekry8h9votrvb3-k72wiogn2yq2f3it5d17/j9r
hxxp: //rated.republicoftaste.com/6t8os/lv-pne1_dshrmqgx-8zl8wd2v5h5m26m_w_zqwzq
hxxp: //rence.backstageteeshirts.com/qen5sy/6hjyrw79zr2zokq1t4dpl276ta8h8-/3sf9jlfcu0v7daixie_do6zb843/z7
Source: https://habr.com/ru/post/317092/
All Articles