Karn!v0r3x v1.0 Exploit Kit

There is a new exploit kit in the wild, this time named Karn!v0r3x v1.0:

Image

Html code of the login page:

<html>
<head>
<title>Karn!v0r3x v1.0 [Inicio]| Malandrines .n3t</title>
<script language="JavaScript" src="files/fallt.js"></script>
<style>
body{background:black;color:yellow;}
#karnivora{
	margin:80px auto;
	background:url('files/karni.jpg');
	width:500px;
	height:375px;
	border:1px solid red;
	-moz-border-radius:5px;
	border-radius:5px;
	color:black;font-size:20px;font-weight:bold;
}
form{float:right;}
ol{list-style:none;margin:0px;padding:0px;}
input{background:#2F2F2F;color:yellow;}
 
</style>
</head>
<body>
	<div id='karnivora'>
		<form action='' method='post'>
		<ol>
			<li>
 
				<label>Username:</label><br/> 
				<input type='text' name='user' size='20' />
			</li>
			<li>
				<label>Password:</label> <br/>
				<input type='password' name='pass' size='20' />
			</li>
				<li><input type='submit' value='Enter'/></li>
 
		</ol>
		</form>
 
		<div style='margin-top:354px;margin-left:10px;'>
			Karn!v0r3x v1.0 | Malandrines .n3t [2011]
		</div>
	</div>
</body>

Sniffed traffic during trying some logins:

POST /imagenes_noticias/ HTTP/1.1
Host: alertas .gob.mx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: hxxp://www.alertas .gob.mx/imagenes_noticias/
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
 
user=username&pass=password

Screenshots of the content of some directories:

hxxp://www.alertas .gob.mx/imagenes_noticias/files/

Image

hxxp://www.alertas .gob.mx/imagenes_noticias/files/os/

Image

The file net4.exe looks like to be the legit file of .NET 4.0:

File: net4_exe
Size: 889416 bytes
MD5 Hash: 53406E9988306CBD4537677C5336ABA4
SHA1 Hash: 06BECADB92A5FCCA2529C0B93687C2A0C6D0D610
SHA256 Hash: FA1AFFF978325F8818CE3A559D67A58297D9154674DE7FD8EB03656D93104425
SHA384 Hash: FAA596D827BB04DAD53CFB921047BA07916BA78754EBDF00A5DF1BEE69594512DDD9E5F6F1C76D6B82EE3576E4CDA40F
SHA512 Hash: 4F89DA81B5A3800AA16FF33CC4A42DBB17D4C698A5E2983B88C32738DECB57E3088A1DA444AD0EC0D745C3C6B6B8B9B86D3F19909142F9E51F513748C0274A99

Location of the executable file is:

hxxp://www.alertas .gob.mx/imagenes_noticias/files/net4.exe

If we query the bot.php file as follow:

hxxp://www.alertas .gob.mx/imagenes_noticias/bot.php?b=sites

We get a list of websites (titles?) as seen in this image:

Image

Most probably the banking trojan that is distributed with this exploit kit monitors for the page title of web browsers, and if matched the title it starts to capture details of banking transactions to steal the account details.

List of known paths related to this exploit kit:

/index.php
/bot.php?b=sites
/bot.php?b=save
/bot.php?b=show
/bot.php?b=id
/bot.php?b=savesites
/files/
/files/os/
/files/capturas/
/files/downloads/
/files/geoip.dat
/files/geoip.inc
/files/karni.jpg
/files/paises/
/files/net4.exe

The infected machine communicate with the C&C server as this:

/bot.php?b=save&windows=Microsoft%20Windows%20NT%205.1.2600%20Service%20Pack%203&pcname=PCNAME&userna=UserName

More details about this exploit kit can be found here:
Nuevo Botnet Contra Mexico: Karn!v0r3x

Random Posts

Previous Posts