lunes, 11 de febrero de 2013

Anonymous Exploit Kit


It have been found a new malware injection kit named "Anonymous exploits kit"

It is located in the domain zaebal11.uni.me hosted on an IP of Panama.
 

The infection vector that drops the trojan is:
 

hXXp://zaebal11.uni.me/loads/

It downloads the malicious binary:
 

hXXp://zaebal11.uni.me/loads/cita.exe
 

Binary size cita.exe: 271622
MD5: 6b7a7415276014b9a9e6350724f4cae7
 

This malware infects the user with the Citadel Trojan which tries to connect against the fraudulent domain netreverseram.ru that is currently idle.
 

Access to the statistical panel of "Anonymous exploits kit" is via URL address:
 

hXXp://zaebal11.uni.me /loads/statistics/login.php

Showing the following screen:
 


Once inside the panel it can see the tracking information of infected users, the victim's home country, operating system version, browser version etc.
 



At the time of analysis this kit was in a very initial state without any infected user yet. There are only traces of the authors of KIT from IP of Netherlands.



The file structure of the KIT is:
 


 As remarkable new code of all files that make up the kit have been encrypted in Base64
 

This KIT takes advantage of vulnerabilities discovered for Java and PDF to infect the user with configured exploits in the kit:



Exploits are also encrypted so they couldn’t be reused by other criminal groups, and certainly when criminals finish adapting the kit  will have the latest vulnerabilities zero-day discovered for Java

In fact in the same fraudulent domain is hosted the famous Control panel Multilocker Trojan or Trojan Police that uses Java exploits to spread


As showed in the following screens:
 

And the list of cheated users who have already  made payments to unlock their computers
 



No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.