We're keeping a pretty close eye on Exploit Kits here at the VRT, and when a new trend or technique starts to rear its head, we pay close attention. Over the past week or so, we saw an exploit kit doing something unusual - this kit appears to be tracking the Windows systems it is using, by leveraging a list of installed fonts as a sort of unique identifier. This could be tracking different base language pack installs on Windows PC, for example. The kit's landing page has a hard coded list of fonts, checks to see which ones are present, and then submits a MD5 hash of the list of fonts to the server, which then iterates through six different exploits. It also verifies the JavaScript MD5 algorithm works as expected by MD5 hashing "hello", thus the name of this kit. "HelloEk"
This kit appears to be popping up, so far, on compromised wordpress sites, so make sure you have wordpress and any themes/plugins updated.
FireAMP and ClamAV detect the dropped executable, and Snort rules for this kit are sids 30001 through 30009, and will be published in the next rule release.
The exploit URLs look like this:
Step 1 - Initial landing page from iframe injected in another site
hxxp://compromised.example/wp-includes/pomo/dtsrc.php
Step 2 - Submit hash of fonts + user agent, and direct the browser to the kitchen sink of six different exploits
hxxp://compromised.example/wp-includes/pomo/dtsrc.php?a=h1&f=d41d8cd98f00b204e9800998ecf8427e&u=u=Mozilla%2F4.0%20(compatible%3B%20MSIE%208.0%3B%20Windows%20NT%205.1%3B%20Trident%2F4.0%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.0.04506.648%3B%20.NET%20CLR%203.5.21022)
Step 3 - various different exploits, based on various conditions
hxxp://compromised.example/wp-includes/pomo/dtsrc.php?a=XXX -- where XXX is one of the below
h2 == java < v1.7.17
h3 == chrome w/ java < v1.7.17
h4 == msie 6 and winver < 6 (below Vista)
h5 == java < v1.7.17 and msie 7 and winver < 6 (below Vista)
h6 == msie 8 and winver < 6 (below Vista)
h7 == java < v1.6.32, or lower
r2 == malicious java JAR
r7 == malicious java JAR
dwe == malicious PE executable
Here are the hashes of the malicious files we downloaded:
MD5:
545244ffcfa9493d130979a11370f0fd dtsrc.php?a=dwe
9afb9b700575e3972b158c9aee31c6a1 dtsrc.php?a=r7
SHA256: 164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da dtsrc.php?a=dwe
5a28cec7e942409a27c5e8eeed79194967519b45efd0ce246ad80c2863f10c51 dtsrc.php?a=r7
We'll be posting more results as investigation continues.
Update: Our colleagues over in the TRAC group wrote about this back in September. http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/ when the attack was a bit more confined.
Update 2: This is actually formerly detected as the "LightsOut" exploit kit. It seems to come and go and is used by different groups.