Analyzing DotkaChef Exploit Pack

"DotkaChef" (aka DotCache, DotCacheF) was discovered by Chris Wakelin (@EKwatcher) several months ago. Today we noticed that several things have changed but it's functionally the same.

If you look closely at the websites infecting visitors’ computers linked to "DotkaChef", they are running Invision Power Board (IP.Board). It’s quite possible that cybercriminals have been targeting a vulnerability in old installations of IP.Board, specifically versions <= 3.3.4 (CVE-2012-5692 - Unserialized PHP Code Execution).

When a website is successfully compromised, the "DotkaChef" Pack gets uploaded to the server in one folder with random characters. This appears to be a self-contained, portable exploit pack.

Back in June or so, the URLs looked like this (and thus its name):

website/upload/.cache/?f=atom.jar&k=2341993693027637&h=baf5291d12f88f53
website/upload/.cache/?f=site.jar&k=2341993693027615&h=baf5291d12f88f53
website/upload/.cache/?f=sm_main.mp3&k=2341993693027648&h=baf5291d12f88f53

Since then, the URL formats have changed and no longer use the “/.cache/” folder.

website/panel/js/fe0e2feefe/?=MDct5ibpFWbf12c8lzM1ATN4YDM1UDMwkzM89SZmVWZmJTZwUmZvMnavwWZuFGcvUGdpNnYld3LvoDc0RHa8NnZ
website/panel/js/fe0e2feefe/?f=a&k=3900550685053931
website/panel/js/fe0e2feefe/?f=s&k=3900550685053919
website/panel/js/fe0e2feefe/?f=sm_main.mp3&k=3900550685053942

Let’s have a closer look...

The URL for the landing page has a bunch of random characters. This is actually base64 characters in reverse. Reversing and de-base64’ing the string reveals the following.

fs|http://website/panel/js/fe0e2feefe/|39005506850539|sm_main.mp3

The pipe character is used as a delimiter to separate out “fs”, the website path, a 14-digit “key”, and the payload. When the malicious URLs are generated, the “k” variable contains a 16-digit number with the 14-digit “key” as the base.

The “f” variable is associated with the malicious Java applet. This kit uses two Java exploits and the “a(tom.jar)” and “s(ite.jar)” values correspond to the exploit to be used.

If you were to hit the page with an incorrect URL, you will see this error message:

When the correct URL is used, you will get the landing page. The landing page has Javascript which uses JJEncode for its obfuscation which you can see below (I wrote about how to deobfuscate this earlier - http://www.kahusecurity.com/2013/jjencode-script-leads-to-drive-by/):

The deobfuscated version looks like this. It's calling up the “atom.jar” exploit which abuses CVE-2013-2423.

Using JD-GUI, we can see that there's little in the way of obfuscation as it’s using base64 to convert its strings. It reads in the URL from the landing page and sends the payload to the computer. It reads in the URL from the landing page and sends the payload to the computer.

The other Java applet is basically doing the same thing. This applet exploits CVE-2013-1493.

The payload comes down with the “mp3” file extension that gets renamed then executed. You will get one of two payloads – Zbot or Zaccess.

Finally, the exploit pack keeps track of successful and unsuccessful loads. Each row contains the key, a pipe delimiter, and a status code. The status code of “466” indicates it was a successful load.

By reviewing the logs, there are quite a number of successful loads making this a simple yet effective exploit pack.

File: atom.jar (CVE-2013-2423)
MD5: 36D157C2EE62CF4BABA43497983739AA
VT: 3/49

File: site.jar (CVE-2013-1493)
MD5: FDCF4174445C303FC20494D9B24D7E7D
VT: 5/48

File: bb.mp3 (Zbot)
MD5: 29028CB338DFA191574939D281F1B385
VT: 24/47

File: sm_main.mp3 (Zaccess)
MD5: B6B0F0FE2033608579B4FA55D2993486
VT: 36/49

Posted on: 12/19/2013