On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit (EK), potentially exposing them to malware infection. We will be referring to this site as KNS.
GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful malware to be installed on the system. While GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK’s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively.
ATTACK CHAIN
The attack chain is no different than previous GongDa attacks we’ve seen in the past. A compromised page on the site loads a .js file that redirects to the EK’s landing page.
Figure 1: GongDa EK attack chain
Where the initial page is at the first highlighted request shown in Figure 1. The second request is the .js file jquery-1.3.2.min.js. It has script code injected at the bottom that loads an iframe to sekielec[.]co[.]kr/m/et/ad.html, the EK’s landing page as shown in Figure 2.
Figure 2: Injected script in the .js leading to GongDa
We observed a number of KNS owned pages loading the malicious .js redirecting to the GongDa landing page “/ad.html”.
From here, “ad.html” loaded:
sekielec.co.kr/m/et/swfobject.js
sekielec.co.kr/m/et/PnNxKk.html
sekielec.co.kr/m/et/jquery.js
EXPLOITS
GongDa has been observed serving the following CVE exploits in recent attacks:
2011-3544, 2011-2140, 2012-0507, 2012-1723, 2012-1889,
2012-4681, 2012-5076, 2013-0422, 2013-0634 and 2014-6332.
In this particular attack, the landing page probes the target machine and selects an exploit page to deliver to the victim. The exploit page observed in this attack was sekielec.co.kr/m/et/PnNxKk.html. It attempts to trigger CVE-2014-6332, “Windows OLE Automation Array Remote Code Execution Vulnerability”. This is a vulnerability that was patched by Microsoft Security Bulletin MS14-064 in November of 2014. It is a commonly used and dangerous vulnerability that can give an attacker arbitrary command execution on a target system.
The exploit page begins by reversing a string of script code used to start the exploitation process.
Figure 3 shows the before:
Figure 3: Reversed initiation code
And Figure 4 shows the after:
Figure 4: Initiation code
A call to the Create() function leads to a function call to the trigger function Over(), which is shown in Figure 5.
Figure 5: Trigger function Over()
The Over() function is responsible for setting up conditions and corrupting an OLE Automation array object, thus triggering the vulnerability.
Once the vulnerability is triggered, the attacker code can execute commands on the system.
Three variables are assigned, as shown in Figure 6.
Figure 6: Command variables
The first variable (nburl) is a URL to the attacker malware. The second variable (nbExE) is a randomly generated name for the malware that is placed on the system. The third variable (nbnurl) is simply the first variable enclosed in quotes.
nburl: http://smsforu.co.kr/RAD/stat/at.exe
Finally, the attacker code uses these variables and executes the following commands, as shown in Figure 7.
Figure 7: Command beginning
The nbnurl and the nbExE variable are used in the execution of the commands shown in Figure 8.
Figure 8: Command ending
The malicious file is placed in the “%SystemRoot%system” directory using the nbExE variable described above as a filename.
PAYLOADS
During this GongDa attack we saw the payloads being served from a domain within Korea:
smsforu[.]co[.]kr
With the following filename:
/rad/stat/at.exe
In recent GongDa attacks, we’ve observed payloads such as backdoors, RATs, Trojans, and downloaders.
Some of the MD5’s observed include the following:
- aac178f775588ca1d42c00d4d95604bd
- 3d58f4b2008f6d87cab9166c09e513b5
- a18d1bce5618b23f592dae9133c25229
- 40be7c9424c6c6de0d560d358a020a5c
- 808e27fd120ade3ecfb2b21aeda8bc58
- ed751ce651d685100e00ed133e4e5018
ADDITIONAL INFO
Attacks involving the GongDa Exploit Kit are not new and are fairly common in the APAC region. While it’s not the most cutting edge EK in the wild, it is still effective because many systems in the region seem to remain unpatched and defenseless against antiquated vulnerabilities such as those used by GongDa.
Additionally, GongDa consistently leverages infrastructure hosted on one of China’s largest ISP’s, China Telecom, operators of AS4134. China Telecom hosts the domain 51yes[.]com, a web traffic statistics service.
One of GongDa’s telltale behaviors is the use of stat counters, presumably for tracking the EK’s traffic and infection statistics. In this case they most always come from countX[.]51yes[.]com, based out of China. Figure 9 shows the GET requests for these stat counters.
Figure 9: Stat counter request
FireEye’s Dynamic Threat Intelligence shows that count7[.]51yes[.].com has been used in multiple GongDa EK attacks in January 2016 alone.
Referering GongDa URL |
bose.co.kr/shop/img/click/ad1.html bose.co.kr/shop/img/click/as1.html bose.co.kr/shop/img/naver/ad.html |
edresearch.co.kr/PEG/click/ad.html edresearch.co.kr/PEG/click1/ad.html |
nstory.com/tmp/click/ad1.html nstory.com/vars/ad/ad1.html nstory.com/vars/cache/click/ad1.html |
odbike.co.kr/w3c/cdn/ad1.html odbike.co.kr/shop/skin/click/ad1.html odbike.co.kr/shop/temp/click/ad1.html odbike.co.kr/w3c/cdn/ad1.html |
poption.kr/gnu/cdn1/ad.html poption.kr/gnu/click/ad.html poption.kr/gnu/extend/ad/ad.html poption.kr/w3c/click/ad.html |
sekielec.co.kr/m/et/ad.html |
smsmaster.co.kr/docs/click1/ad.html smsmaster.co.kr/docs/click3/ad.html |
www.poption.kr/gnu/js/click/ad.html |
Checking other countX[.]51yes[.]com hits with GongDa referrer’s, we saw hundreds of domains affected by the GongDa EK activity.
It is believed that the GongDa Exploit Kit has Chinese origins. The hypothesis is derived from capabilities, usage, and the infrastructure used to target various APAC region entities.
Interestingly, the registrant for the sekielec.co[.]kr GongDa landing page domain, “rhhan AT sekihe.co[.]kr”, also registered a number of other domains that have been observed as being GongDa landing pages as well.
CONCLUSION
With a name reminiscent of a creature straight out of Monster Island, GongDa may not be the new kid on the block; however, as demonstrated, it is still active and capable of wreaking havoc. Network defenders in the APAC region should be aware of this EK and take steps to ensure this “monster” never enters their network.
ACKNOWLEDGEMENTS
The authors and FireEye Labs would like to thank Dan Perez for his contribution to this blog.