[ Technical Analysis: Deceiving ‘Parked Domain’ & several .SG sites serves exploits ]

I have reported the following Singapore website(s) which might be serving malicious content to SingCERT back in 29th November 2014.
But i have just checked today and all of these site(s) are still serving the same malicious content.
Even though they told me back in 1st December that they have notified all relevant partie(s). O_o”

For the 1st website, I happened to chanced upon this while checking out of Lego related stuff.
Severity: Malware Hidden Inside JPG EXIF Headers
Confidence: Certain
Host: h–p://www[.]thebroerscafe[.]sg
Path: /wp-content/uploads/2013/05/Lego-workshop[.]jpg

Issue Description:
The malicious content hide its data in the EXIF headers of a JPEG image.
So how does malicious content in the EXIF headers of a JPEG image get executed.
Basically, it used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.
If you were to view the EXIF info of the following image:
h–p://www[.]thebroerscafe[.]sg/wp-content/uploads/2013/05/Lego-workshop[.]jpg

You will see something like this.

Image 1 : Exif info of Malicious JPG file

So if you look at it from Notepad++ or from a Hex Editor.
It’s hidden here as shown in the image below.

Image 2 : Malicious JPG opened in Notepad++

Please note the EXIF PHP code in Model information, but also the string /.*/e in Maker.
Once the base64 string is being decoded, the code translates into:

Basically, it evaluates whatever it gets through the POST parameter zz1.
But this is an image, how does this code get executed?
Thanks to the PHP exif_read_data function –

The PHP function preg_replace will interpret the content as PHP code thanks to the string /e (the Maker field in the EXIF data). This will execute the eval code in the second EXIF field (Model). So basically this is a backdoor that will execute any command inside the zz1 POST parameter. The /e pattern modifier is deprecated since PHP 5.5.0, thats good news.

So basically this is a two component backdoor that comprises of a JPEG file with malicious EXIF data, and a PHP code that executes it.
This PHP code can be easily inserted into any other PHP file found in the server, probably not noticed easily.

As the website is using TimThumb and TimThumb had been known to have several security vulnerabilities for years. I would probably recommend the website owner to discontinue the usage of TimThumb.

If anyone is interested to learn about about this, you can read it here.
Related Links:
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
http://securelist.com/blog/research/58196/malware-in-metadata/

For the 2nd website,
Severity: Redirection to possibly ExploitKit
Confidence: Certain
Host: h–p://www[.]hinhuatdj[.]com
Path: /index[.]html

Issue Description:
If you take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 3 : Source of Index.html in www[.]hinhuatdj[.]com

Please don’t run the script unless you know what you are doing. Once you safely decoded it, you will see this.

Image 4 : Decoded Javascript pointing to Malicious website

A quick check against VirusTotal, you will see that it’s been flagged as malicious previously by Kaspersky and Sucuri

This is the Virustotal report on the website.
https://www.virustotal.com/en/url/57186289dcea318fc52dbfe1ccd850cb5c2e1ffdf3b6be136330cfad1a169f40/analysis/1417239062/

For the 3rd website,
Severity: Compromised website
Confidence: Certain
Host: h–p://www[.]mdas[.]org[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.
The links seem to be be porn urls.

Image 5 : Injected html codes

Visitors to this website might accidentally clicked on the porn urls and potentially be exposed to other malicious stuff..
The IP address of this website is currently at 111.235.138.70
111.235.138.70 currently belongs to Vodien Internet Solutions Pte Ltd which is a local web hosting company.

For the 4nd website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://333bakkutteh[.]com
Path: /index[.]html

Issue Description:
If you were to view the page source of the website in a safe manner. You may find that this website is currently being “Parked” or not in use.

However, if you were take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 6 : Injected html codes

Based on personal experiences, i can straight away recognise this as ExploitKit.
Visitors to this website will be exposed to the exploits served by this ExploitKit immediately.
The IP address of this website is currently at 112.140.185.140
112.140.185.140 currently belongs to sparkstation.net which is a .SG web hosting company.

For the 5th website,
Severity: Serving ExploitKit
Confidence: Certain
Host: h–p://fonghsiang[.]com[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.

Image 7 : Injected html codes

For the 6th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://hychem-ap[.]com[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 8 : Injected html codes

For the 7th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://actinium[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 9 : Injected html codes

Based on personal experiences, i can straight away recognise that all are ExploitKit.
Visitors to these website(s) will be exposed to the exploits served by this ExploitKit immediately.
The IP address of both h–p://fonghsiang[.]com[.]sg/ & h–p://hychem-ap[.]com[.]sg are currently at 203.142.25.182 & h–p://actinium[.]sg/ is currently at 202.157.153.5

Both 203.142.25.182 & 202.157.153.5 currently belong to Webvisions Pte Ltd which is a .SG web hosting company.
The impact of these domains is that innocent visitors with no protection could become the next victims if both the malicious scripts and C2 are still working.
This is a “REMINDER” to everyone not to trust a “site” by its cover and always exercise caution. Attacker(s) are always thinking of new ways to trojanised victim(s).
The attacker(s) here are clever to hide the malicious code like they did here because they can easily trick victim(s) who might have thought that the site(s) as “already expired” or “suspended” by the hosting provider”.
But in reality, it’s not the case.

Happy Reversing
Jacob Soo

Leave a Reply