Last Updated: 2016-11-19 08:15:57 UTC
by Didier Stevens (Version: 1)
I tested the process replacement maldoc (Hancitor Maldoc Bypasses Application Whitelisting) on Windows 10 and Word 2016. It's not blocked.
Last Updated: 2016-11-18 21:30:55 UTC
by Brad Duncan (Version: 1)
KaiXin exploit kit (EK) was first identified in August 2012 by Kahu Security , and it received some press from security-related blogs later that year [2, 3, 4]. Within the past year or so, Jack at malwarefor.me and I have posted our analysis of a few KaiXin EK traffic examples [5, 6, 7, 8, 9], and in March 2016 I wrote an ISC diary about this EK . A May 2016 blog from Palo Alto Networks associated some instances of KaiXin EK with a KRBanker trojan that targeted online banking users .
Since that time, I've rarely found KaiXin EK. Every once in a while, I'd sometimes find indicators, but I was never able to generate any traffic. Fortunately, someone recently informed me of an active URL, and I retrieved some good examples of KaiXin EK.
Of note, I had to use an older Windows 7 host with Internet Explorer (IE) 8 as the web browser. I was unable to generate any EK traffic from the initial URL if I used Windows 7 with IE 9 or newer.
Today's diary examines these examples of KaiXin EK infection traffic.
The EK infection
I tried a variety of configurations (all using IE 8) in order to get as many exploits as possible. An older Windows host with Java 6 runtime environment update 22 gave me a Java exploit. Newer Windows hosts generated different Flash exploits. The below images show 3 examples of the traffic from the initial URL.
The initial URL appears to be a gate. This gate checks for security products from Chinese-based companies like Kingsoft, 360 and Tencent.
The payload didn't execute properly for any of my infections. During each infection, a VBS file appeared in the user's AppData\Local\Temp directory with a random name of 5 alphabetic characters. An example of the file name and path on a Windows 7 host follows:
Today's KaiXin EK payload is a 8,192 byte executable that acts as a file downloader. It appears to download another piece of malware about 2 MB in size. I was unable to identify the follow-up malware based on the HTTP traffic it generated. The follow-up malware calls back to a domain registered to a Chinese individual or organization.
All activity for KaiXin EK and the post-infection traffic was on 184.108.40.206, a Chinese IP address.
Indicators of Compromise (IOCs)
The following are IP addresses, TCP ports, and domain names associated with today's infection:
- 220.127.116.11 port 12113 - otc.szmshc.com:12113 - KaiXin EK
- 18.104.22.168 port 10002 - u.ed-vis.com:10002 - KaiXin EK sends payload (file downloader)
- 22.214.171.124 port 19008 - n.shopzhy.com:19008 - Post-infection traffic from KaiXin EK payload
- 126.96.36.199 port 80 - conn.guizumall.com - Post-infection traffic from follow-up malware
The following are SHA256 hashes, file names, and descriptions of the EK payload and follow-up malware:
- SHA256 hash: 21bfb09e9c67c69ff3041b48494b093bce8acb57ee0e9e0fe5da737561064a7b
- File name: b02q1.exe
- File description: Payload (a downloader) sent by KaiXin EK (8,192 bytes)
- SHA256 hash: e4d9c9b5400436204bbd1510f73e6e76cc970b844605f4b1918bac5c2b74b384
- File name: cj1.exe
- File description: Follow-up malware retrieved by the KaiXin EK payload (2,095,616 bytes)
From the beginning, KaiXin EK has been described as a Chinese EK. I've seen it in traffic associated with China, Japan, Korea, and possibly some nations in Southeast Asia. It usually doesn't make the list with other more advanced EKs, and the exploits used in KaiXin EK seem awfully outdated.
However, the actors and campaigns using KaiXin EK remain a threat.
People can protect themselves by following best security practices like keeping their computers up-to-date with the latest version of Windows, web browsers, and browser-associated applications (like Java, Flash, etc.).
Pcaps, malware, and artifacts associated with this diary can be found here.
brad [at] malware-traffic-analysis.net