Notes
  • Found on Threatglass
  • Two instances of this EK on the same compromised domain since September, 18th
  • I will examine traffic from the most recent instance, September, 20th
  • KaiXin is a lesser-known Exploit Kit that has been observed mostly targeting Asia, specifically Japan and South Korea
  • Actors are using 51yes[.]com, a Chinese analytics site to gauge traffic
  • KaiXin EK payload is Backdoor:Win32/Venik.I

PCAP and Malware
Compromised Domain and Redirect

2015-09-20 12:09:36 UTC - 74.114.48.134 - koreatimes.com - GET /
2015-09-20 12:09:36 UTC - 74.114.48.134 - www.koreatimes.com - GET /
2015-09-20 12:09:38 UTC - 133.130.90.152 - 133.130.90.152 - GET /ad.gif

KaiXin EK Traffic

2015-09-20 12:09:39 UTC - 199.188.106.162 - 199.188.106.162 - GET /index.html
2015-09-20 12:09:40 UTC - 199.188.106.162 - 199.188.106.162 - GET /jquery.js
2015-09-20 12:09:40 UTC - 199.188.106.162 - 199.188.106.162 - GET /swfobject.js
2015-09-20 12:09:40 UTC - 199.188.106.162 - 199.188.106.162 - GET /LjNsSx.html
2015-09-20 12:09:40 UTC - 61.147.67.180 - count2.51yes.com - GET /click.aspx?id=25685989&logo=1 (Chinese Analytics site used by KaiXin for landing statistics)
2015-09-20 12:09:42 UTC - 61.147.67.180 - count2.51yes.com - GET /sa.htm?id=25685989&refe=http%3A//www.koreatimes.com/&location=http%3A//199.188.106.162/index.html&color=24x&resolution=800x600&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%208.0%3B%20Windows%20NT%205
2015-09-20 12:09:50 UTC - 199.188.106.162 - 199.188.106.162 - GET /66.exe
2015-09-20 12:09:52 UTC - 199.188.106.162 - 199.188.106.162 - GET /YcVoEu.jar
2015-09-20 12:09:52 UTC - 199.188.106.162 - 199.188.106.162 - GET /com.class
2015-09-20 12:09:52 UTC - 199.188.106.162 - 199.188.106.162 - GET /edu.class
2015-09-20 12:09:52 UTC - 199.188.106.162 - 199.188.106.162 - GET /net.class
2015-09-20 12:09:52 UTC - 199.188.106.162 - 199.188.106.162 - GET /org.class
2015-09-20 12:09:54 UTC - 199.188.106.162 - 199.188.106.162 - GET /66.exe

Post-Infection Venik Traffic

2015-09-20 12:09:58 UTC - 142.0.137.70 - 142.0.137.70:803 - GET //joy.asp?sid=uu0WmdaWmxXovuXmFfDPBIbyucbtudj8mdKXotiYmte@
2015-09-20 12:10:02 UTC - 142.0.137.69 - 142.0.137.69:803 - GET /index.php
2015-09-20 12:10:02 UTC - 142.0.137.69 - 142.0.137.69:803 - GET /index.php
2015-09-20 12:10:05 UTC - 142.0.137.69 - 142.0.137.69:803 - GET /index.php

IDS alerts using the Emerging Threats Pro Ruleset on Suricata 2.0.8 (INFO disabled)

2015-09-20 12:09:40 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET CURRENT EVENTS KaiXin Landing Page Nov 25 2014
2015-09-20 12:09:50 UTC - 199.188.106.162:80 -> 192.168.56.10:1174 - ET POLICY PE EXE or DLL Windows file download HTTP
2015-09-20 12:09:52 UTC - 192.168.56.10:1176 -> 199.188.106.162:80 - ET POLICY Vulnerable Java Version 1.6.x Detected
2015-09-20 12:09:52 UTC - 192.168.56.10:1176 -> 199.188.106.162:80 - ET CURRENT EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class
2015-09-20 12:09:52 UTC - 192.168.56.10:1176 -> 199.188.106.162:80 - ET POLICY Vulnerable Java Version 1.6.x Detected
2015-09-20 12:09:52 UTC - 192.168.56.10:1176 -> 199.188.106.162:80 - ET CURRENT EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class
2015-09-20 12:09:52 UTC - 192.168.56.10:1176 -> 199.188.106.162:80 - ET CURRENT EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class
2015-09-20 12:09:52 UTC - 192.168.56.10:1176 -> 199.188.106.162:80 - ET CURRENT EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class
2015-09-20 12:09:52 UTC - 192.168.56.10:1175 -> 199.188.106.162:80 - ET CURRENT EVENTS KaiXin EK Jar URI Struct
2015-09-20 12:09:55 UTC - 192.168.56.10:1178 -> 199.188.106.162:80 - ET TROJAN Unknown - Loader - Check .exe Updated
2015-09-20 12:09:59 UTC - 192.168.56.10:1180 -> 142.0.137.66:3201 - ETPRO TROJAN Win32/Venik CnC Beacon
2015-09-20 12:10:44 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332
2015-09-20 12:10:44 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name
2015-09-20 12:10:44 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET CURRENT EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)
2015-09-20 12:10:44 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET WEB CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve
2015-09-20 12:10:44 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET CURRENT EVENTS KaiXin Secondary Landing Page M2
2015-09-20 12:10:44 UTC - 199.188.106.162:80 -> 192.168.56.10:1054 - ET CURRENT EVENTS KaiXin Landing M4

Preliminary Malware Analysis

KaiXin EK Payload - Venik.I - 66.exe

KaiXin EK Java Exploit - YcVoEu.jar

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates