CrimeBoss Exploit Pack

Earlier this year, the CrimeBoss exploit pack was released in beta form. An updated version was recently seen in the wild.

Here's the panel's login screen which looks just like Crimepack.

But the rest of the pack is completely different. Here's the landing page of the exploit pack:

The second layer is a little more challenging:

Once you deobfuscate the code, you'll be rewarded with a neatly written script complete with comments. Here we see the three Java exploits it's using:

The next day, the applets were replaced with similar ones:

As you can see from the above, the visiting computer gets hit by all three Java exploits:

CVE-2012-4681
CVE-2011-3544
"Social Engineering Applet"

The last applet is not actually an exploit. It merely tries to convince you that it's okay to run the applet.

If you don't have Java installed, CrimeBoss gives you a chance to install it.

The text above is in Portuguese, here's a translation:

"You do not have Java or it is disabled.
This page has features that require Java to be enabled.
Click here to install the Java plugin."

There are three interesting aspects to this exploit pack. The first is that this pack distributes the parts of its infection chain onto different domains. This makes the pack a little more resilient.

The second thing is that the payloads are renamed to look like graphic files. Unless you look at the magic numbers, it may not be very obvious that they are executables. Presumably they are hiding in plain sight on these servers. The dropped files range from backdoors to banking Trojans.

dl[.]dropbox[.]com/u/104545784/mda.bmp
uploads[.]boxify[.]me/90831/gforcea.bmp
andreazza[.]med[.]br/xul.gif
desperadoradio[.]nl/phedex/icon.gif
andreturco[.]com[.]br/imgs/a22.gif
kids-trace-com[.]web11[.]redehost[.]com[.]br/ams5.jpg
dl[.]dropbox[.]com/u/80789560/phed0015.ico

The third is that these Java applets download the malicious payload using a specific useragent string as seen here:

This translates to this:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0

Another applet used this one:

Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0

At the moment, it does not matter what your useragent string is; you can download these payload files at any time using any browser. But it seems plausible that in the future, CrimeBoss' sites could restrict a direct download unless you have a matching UA string. This would join the other packs that employ a sessionID, cookie, referer, or UA string check to prevent direct downloads.

Java Exploits

File: java7.jar (CVE-2012-4681)
MD5: 171bd05e3d9b7b17f206ff0e2beaeddf
VT: 9/41

File: javab.jar (CVE-2011-3544)
MD5: D679A4EED92C94EF1E75F47F0DDDC2B4
VT: 4/42

File: xul1.jar
MD5: 80F3F65413F5A7A7E07B8FE17E9943E5
VT: 4/42

File: pka1.jar
MD5: F2D9B13E224A4AA2F234BF2316E9E30C
VT: 2/42

Dropped Files

File: a22.gif
MD5: 0a6d3a1505a8f14252b5afc5b71fe800
VT: 6/42

File: gforcea.bmp
MD5: f30526e804df83a2a30068f1d74faeab
VT: 4/41

File: icon.gif
MD5: 5045d1c758ac60f50813fdd8188b3ae8
VT: 6/41

File: mda.bmp
MD5: f474e1d0e4adc3d0b5cba7b17727a4f9
VT: 2/42

File: ams5.jpg
MD5: c39ddd740e730d27346d325222a2302c
VT: 1/42

File: phed0015.ico
MD5: 13B86ED2D78EA2C6DBF6CF7EE7EC5206
VT: 0/42

Posted on: 09/13/2012