This is a guest diary submitted by Brad Duncan.
For the past year or so, I've noticed a particular group using a gate that redirects to an exploit kit (EK), usually Fiesta. This gate has evolved over the past year, changing IP addresses, domain names, and URL patterns. Currently, this gate is using 126.96.36.199 as its IP address.
I infected a VM on 2014-12-24 using the original referer from an example I found after searching for 188.8.131.52 in my organization's web traffic logs. The image below shows the gate on 184.108.40.206 and Fiesta EK on 220.127.116.11.
Shown above: Wireshark display for the Fiesta EK infection using this gate.
Monitoring the infection traffic with Security Onion shows the appropriate Snort signatures for Fiesta EK:
Shown above: Snort events from Security Onion using the ET open signature set.
Let's examine how the gate points to Fiesta EK. Earlier this year, the gate used a fairly straightforward iframe. Here's an example from April 2014:
Shown above: Gate to Fiesta EK from April 2014.
Search your web traffic logs for 18.104.22.168, and you'll likely find several different domain names using a specific pattern for the gate. Here's a sample of what I found for 22.214.171.124 from 2014-12-10 through 2014-12-23:
All the above domains are registered to same organization:
Registrant name/organization: Wuxi Yilian LLC
Registrant country: China
alpinias.com - date registered: 2014-08-29
astroysch.com - date registered: 2014-10-27
avtrokosmo.com - date registered: 2014-12-01
bendjoblac.com - date registered: 2014-11-12
enotikkiki.com - date registered: 2014-10-21
kattyjerem.com - date registered: 2014-11-12
hillarysday.com - date registered: 2014-09-18
magggnitia.com - date registered: 2014-12-01
magicalcepp.com - date registered: 2014-09-18
magnitigus.com - date registered: 2014-12-01
margartata.com - date registered: 2014-12-01
martinegris.com - date registered: 2014-10-21
muertiose.com - date registered: 2014-10-03
throneonetwo.com - date registered: 2014-10-27
treestois.com - date registered: 2014-12-01
velasvegas.com - date registered: 2014-11-12
Each of the domains on 126.96.36.199 is tied to a particular compromised website. If you have access to the web traffic and the HTTP headers, it's easy to find the compromised website. Just look for the referer in the HTTP GET request on 188.8.131.52.
The group behind these domains has used at least 4 different IP addresses during the past year. It will likely change again. Wuxi Yilian LLC is the registrant for all the domains I've found for this redirect in 2014.
I look forward to seeing what this group does in 2015.
Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net
Apr 26th 2015
2 years ago
Thanks for the diary. Useful information.
12 Posts Posts
Dec 28th 2014
3 years ago
Any data on when the exploit is presented? We've found that not every access to the compromised forum gets the exploit and have had trouble reproducing the issue. i.e. Going to the same page that got the exploit a few minutes before doesn't get the exploit again.
20 Posts Posts
Jan 23rd 2015
3 years ago