• This first compromised domain is hosting redirects to Fiesta EK
  • The click fraud malware (Kovter.B) downloaded, but did not trigger fully on initial infection
  • I ran the malware on a different set-up (thanks Francis Trudeau!) and was able to gather more information on Kovter.B and its actions
  • After running Kovter.B, part of the click fraud traffic ended up hitting a compromised domain which redirected to an Angler EK landing page
  • After downloading, it appears to have gotten Poweliks (according to IDS alerts) onto the system
PCAP, Malware, and Exploits
Compromised Domain and Redirection
  • 2015-03-26 03:18:43 UTC - 216.58.192.36 - mayfairlakes.org - GET /
  • I used CapTipper v.2's ungzip command to decode the initial response, and the iframes command to reveal the redirector
Fiesta EK
  • 2015-03-26 03:18:47 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /blog/4c2H?utm_source=g24
  • 2015-03-26 03:18:48 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/?2
  • 2015-03-26 03:18:49 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/27b87fefa4d17dd4060e5503055d545e040f530e0c520756090257090305065702;118800;94
  • 2015-03-26 03:18:51 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/25e6dc19f812e30e51450e0d56580001040d54005f575309090050075000520802;6
  • 2015-03-26 03:18:54 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/25e6dc19f812e30e51450e0d56580001040d54005f575309090050075000520802;6;1
  • 2015-03-26 03:18:59 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/4fe5f514a58e4a0f5d03090e540e000c025e54035d0153040f5350045256520504
  • 2015-03-26 03:19:01 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/18b229c97d77d3d6524809090002520107005304090d01090a0d5703065a000853;4
  • 2015-03-26 03:19:04 UTC - 217.172.170.17 - tfuhvvcme.servepics.com - GET /p59w0xv2/18b229c97d77d3d6524809090002520107005304090d01090a0d5703065a000853;4;1
  • Note: It appears the flash version appears in the URI struct in the GET request (This seems to be the case in other Fiesta EK instances I checked it against)
Post-Infection Traffic

Note: The pcap does not contain this traffic, but the Fiddler output shows the 2 injected svchost processes calling out to the following domain:

  • 2015-03-26 03:19:?? UTC - 192.99.104.30 - b14-mini.ru - /upload.php
Fiddler Output

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-03-26 03:18:48 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS FiestaEK js-redirect
2015-03-26 03:18:48 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit
2015-03-26 03:18:49 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS Fiesta Flash Exploit URI Struct
2015-03-26 03:18:49 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS Fiesta URI Struct
2015-03-26 03:18:50 UTC - 217.172.170.17:80 -> 192.168.120.173:50750 - ET CURRENT EVENTS Fiesta Flash Exploit Download
2015-03-26 03:18:51 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS Fiesta URI Struct
2015-03-26 03:18:54 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS Fiesta URI Struct
2015-03-26 03:19:01 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS Fiesta URI Struct
2015-03-26 03:19:04 UTC - 192.168.120.173:50750 -> 217.172.170.17:80 - ET CURRENT EVENTS Fiesta URI Struct

Preliminary Malware Analysis

Fiesta EK Flash Exploit

Fiesta EK Payload - Kovter.B, pulled from the Victim Machine

Further Malware Analysis
  • After the malware stopped running on the victim machine, I pulled the binary out and ran it through a different lab
  • This proved fruitful, as it ran Kovter.B without issues, returning a couple thousand of hits to various domains/ad networks
  • During the malwares routine, it happened across a compromised domain hosting a redirector for Angler EK
Kovter.B Initial Infection Traffic
  • 2015-03-27 04:11:08 UTC - 148.251.173.161 - 148.251.173.161 - POST /wpl/index.php
  • 2015-03-27 04:11:16 UTC - 148.251.173.161 - 148.251.173.161 - GET /wpl/index.php?id=1
  • 2015-03-27 04:11:18 UTC - 148.251.173.161 - 148.251.173.161 - POST /wpl/index.php
  • 2015-03-27 04:11:31 UTC - 148.251.173.174:8080 - 148.251.173.174:8080 - GET /c-c/9b550286e382d94b04959678ecc55e5b9fcdcfab304f7ac6a216c4facb0335ecf770160d4f35b79b993e3b152f09397addd17ff55d33ed8852d9ab8be3d91313/c_c/click?node=35&time=1427429460&id=15442&pid=115&sid=172189&rank=0
  • 2015-03-27 04:11:32 UTC - 148.251.173.174:8080 - 148.251.173.174:8080 - GET /click?node=35&time=1427429460&id=15442&pid=115&sid=172189&rank=0
  • 2015-03-27 04:11:32 UTC - 173.214.255.233 - 173.214.255.233 - GET /feed/go1.php?id=2a0a1e08-7074-4cc5-9782-faba1fb84749&sid=dd8faf7b8179dcc1bec18b5dfb152cfb&n=n-12&tid=6719485160825431715&s=4265
  • 2015-03-27 04:11:32 UTC - 174.129.196.71 - 3280083.3857965.optimize.clickshieldfilter.com - GET /click.php?x=FyBTR3LcV1bNCsgJkOVofOfwbegc%2BS%2BqV9xq2yvecalYPnMq10rI3vsqBU0AneW
  • 2015-03-27 04:11:32 UTC - 174.129.196.71 - 3280083.3857965.optimize.clickshieldfilter.com - GET /swfobject.js
  • 2015-03-27 04:11:34 UTC - 174.129.196.71 - 3280083.3857965.optimize.clickshieldfilter.com - POST /click.php
  • 2015-03-27 04:11:35 UTC - 54.209.64.126 - www.blinkx.com - GET /af/b4-blianp5?adid=18-100-201-303-404-105&utm-campaign=6293-3280083-3857965
  • Truncated, but you get the idea
Post-Infection IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled)

2015-03-28 04:11:08 UTC - 10.10.10.104:49292 -> 148.251.173.161:80 - ET TROJAN WIN32/KOVTER.B Checkin
2015-03-28 04:11:29 UTC - 10.10.10.104:49292 -> 148.251.173.161:80 - ET TROJAN WIN32/KOVTER.B Checkin
2015-03-28 04:16:03 UTC - 10.10.10.104:49292 -> 148.251.173.161:80 - ET TROJAN WIN32/KOVTER.B Checkin
2015-03-28 04:15:42 UTC - 10.10.10.104:49292 -> 148.251.173.161:80 - ET TROJAN WIN32/KOVTER.B Checkin

Angler EK Observed In Click Fraud Traffic
Compromised Domain and Redirection
  • 2015-03-27 04:17:54 UTC - 95.211.198.109 - news4news14.com - GET /?source=32
  • This time I used CapTipper v.2's ungzip command to decode the content, and the jsbeautify command to format the redirector
Angler EK
  • 2015-03-27 04:17:55 UTC - 195.238.181.33 - sdiksd-j234nbbg-khb747bjg324yu.asjoeipo9sjruy.in - GET /coynesscharmingly/191638858311458
  • 2015-03-27 04:18:00 UTC - 195.238.181.33 - sdiksd-j234nbbg-khb747bjg324yu.asjoeipo9sjruy.in - GET /HzbLSnL-KjXzuiGS151PH-vf2yCYCVWre4LFpsIRru3UyImj
  • 2015-03-27 04:18:02 UTC - 195.238.181.33 - sdiksd-j234nbbg-khb747bjg324yu.asjoeipo9sjruy.in - GET /coynesscharmingly/191638858311458
Post-Post Infection Traffic (Poweliks, according to ET PRO Ruleset)
  • 2015-03-27 04:19:15 UTC - 195.2.241.100 - 195.2.241.100 - POST /search
Post-Infection IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled)

2015-03-28 04:18:00 UTC - 10.10.10.104:49506 -> 195.238.181.33:80 - ET CURRENT EVENTS Angler EK Payload DL M1 Feb 06 2015
2015-03-28 04:18:00 UTC - 195.238.181.33:80 -> 10.10.10.104:49506 - ETPRO CURRENT EVENTS Angler EK Payload T1 Feb 16 2015 M2
2015-03-28 04:17:55 UTC - 195.238.181.33:80 -> 10.10.10.104:49496 - ETPRO CURRENT EVENTS DRIVEBY Angler EK Landing T1 Feb 02 2015
2015-03-28 04:18:01 UTC - 195.238.181.33:80 -> 10.10.10.104:49506 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (21)
2015-03-28 04:18:02 UTC - 10.10.10.104:49496 -> 195.238.181.33:80 - ET CURRENT EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015
2015-03-28 04:19:15 UTC - 10.10.10.104:49651 -> 195.2.241.100:80 - ETPRO TROJAN Win32/Poweliks.A Checkin

PCAP, Malware, and Exploits

If you have any feedback or questions please email me at jack@malwarefor.me
Additionally, you can reach out on Twitter or follow for for updates