Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Traffic pattern change noted in Fiesta exploit kit

Published: 2015-05-04
Last Updated: 2015-05-04 03:40:34 UTC
by Brad Duncan (Version: 1)
0 comment(s)

A few hours ago, Jerome Segura, Senior Security Researcher at Malwarebytes, tweeted about a change in traffic patterns from Fiesta exploit kit (EK) [1].

What had been semi-colons in the URLs from Fiesta EK are now commas.  Here's what we saw from my previous diary on Fiesta EK last week [2]:

Here's what I saw from infecting a host with Fiesta EK a short while ago:

Any signatures for detecting Fiesta EK that depend on those semi-colons will need to be updated.

A pcap of the traffic is available at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-traffic.pcap, and a zip file of the associated malware is at http://malware-traffic-analysis.net/2015/05/04/2015-05-04-Fiesta-EK-malware.zip

The ZIP file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

I checked out the payload from this infection, and it has a digital signature spoofing Microsoft.

Didn't get any traffic out of the malware payload from publicly-available malware analysis tools:

While generating traffic for my previous diary on Fiesta EK, I saw 3 different payloads within a 2 hour period.  Every once in a while, I've seen digital signatures from Fiesta EK malware payloads, but I'm not sure what this particular payload is.  Haven't really had time to analyze it.  If anyone does have time, please leave a comment.

---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://twitter.com/jeromesegura/status/595002036027985921
[2] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631

Keywords:
0 comment(s)
ISC StormCast for Monday, May 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4467

If you have more information or corrections regarding our diary, please share.

Recent Diaries

VolDiff, for memory image differential analysis
1 day ago by Russ McRee (0 comments)

Massive malware spam campain to corporate domains in Colombia
2 days ago by Manuel Humberto Santander Pelaacuteez (4 comments)

Dalexis/CTB-Locker malspam campaign
4 days ago by Brad Duncan (1 comment)

UDP/3478 to Amazon 54.84.9.242 -- got packets? (solved)
4 days ago by Daniel (1 comment)

Scammy Nepal earthquake donation requests
5 days ago by Daniel (1 comment)

Actor using Fiesta exploit kit
6 days ago by Brad Duncan (2 comments)

When Prevention Fails, Incident Response Begins
6 days ago by Richard (1 comment)

View All Diaries →

Latest Discussions

Dridex seen spoofing referer from social media and search engine sites such as facebook, twitter,google, msn, bing
created 3 days ago by Mostropi (1 reply)

No patch for remote code-execution bug in D-Link and Trendnet routers
created 4 days ago by Brad Duncan (0 replies)

Need help with Framing and masking
created 1 week ago by Anonymous (0 replies)

Packet numbers different in various Dshield reports
created 2 weeks ago by Telserv (1 reply)

Disruption of Simda botnet
created 2 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →