April 6, 2015

Over-indulgence in the Easter Eggsploit Kit

Jose Barajas

Photography by User: MrX
Photography by User: MrX


As Peter Cottontail went hippity-hoppin’ down the bunny trail this past Easter weekend, he found it strewn with a different kind of Easter egg: the Fiesta exploit kit, hidden in insidious fashion among the downloadable coloring pages at a popular freeware site for children and their parents.

A Bad Egg

Uniquecoloringpages[.]com offers exactly that – coloring pages for kids, many featuring themes from popular culture ranging from Despicable Me to Star Wars. 

Ironically, the downloadable coloring page offered by the "Easter Bunny Coloring Pages and Book" depicts a genteel, smiling bunny with an armload of Easter eggs. This ovoid bouquet, however, is definitely rotten, and it all starts off with an injected iFrame. At the time of publication of this blog, the website in question was still believed to be infected.

Fiesta EK: Party Crasher

The attack follows the typical seven stage kill chain as shown below:

Compromised page hosting malicious iFrame

RECON - Occurred before the website was compromised.

LURE - An injected iFrame was used to redirect users to hxxp://yqbozasv[.]hopto[.]org/wordpress/?bf7N&utm_source=le.


Exploit content delivery

REDIRECTION - A "302 Moved Temporarily" redirection is used by the iFrame target. This points users to the Fiesta Exploit Kit located at hxxp://yqbozasv[.]hopto[.]org/8u5_cb06/?2.


EXPLOIT KIT - The exploit kit uses JavaScript obfuscation to hide the software enumeration and available exploits. One interesting feature to note is the use of random paragraphs and sentences, which seem to be translator-generated-based or pure gibberish.  

Exploit Kit

De-obfuscation reveals the targeted and available exploits. The figure below shows a reference to flash object generation. Analysis revealed that it contains many different types of exploits including those targeting Java, Adobe Flash, Adobe Acrobat, and Silverlight. Java and Flash are passed an obfuscated parameter that was observed to be de-obfuscated in the Flash's ActionScript.


EXPLOIT  - In our use case, the file Flash file cdonwxy478.swf was deployed which leverages CVE-2014-8440 and initiated the download of a binary executable.

Behavior of the dropped executable

DROPPER - Websense® file sandboxing saw that the dropped executable established a communication channel with b14-mini[.]ru. 



CALL HOME - Based on C&C communication observed, we have determined that the malware family being dropped in this instance is Kovter. Previously distributed via other exploit kits, it appears that compromised websites injected with redirection to the Fiesta EK  are now distributing this malware, which is a high severity threat. 


Websense customers were protected at the time of compromise via real-time analytics targeting iFrame-injected compromised websites. Additional protection has now been added within ACE, the Websense Advanced Classification Engine, at the different stages of the attack detailed below: 

  • Stage 2 (Lure) – ACE has protection against websites injected with malicious content.
  • Stage 4 (Exploit Kit) – ACE has protection against the Fiesta Exploit Kit and exploit delivery content via real-time analytics.
  • Stage 5 (Dropper) – ACE file sandboxing identifies Kovter malware as malicious.
  • Stage 6 (Call Home) – ACE has detection for command and control traffic known to be associated with Kovter. 

’Tis the Season: Beware Freeware

Attack vectors hidden among downloadable freebies provide an easy method to disseminate malware. The bad actor merely plants his flag and waits as potential victims actively seek out material.

Seasonal holidays, in particular, offer malefactors a passive but target-rich opportunity. Supply and demand in this case are well served by a limited time frame: As the date of the event nears, interest surrounding associated paraphernalia grows. Targeted victims reward the malicious actor with a surge of interest and in the process, get infected. Websense customers should ensure that analytics are configured to auto-update in real time in Websense products. While browsing leisure sites is an acceptable practice at businesses, Websense customers must also ensure that systems are patched regularly, since we have seen older exploits being used in attacks time and again. In addition, end user education goes a long way in reducing the risk associated with attacks, while we at Websense Security Labs™ continue to keep an eye out for attacks on behalf of our customers. 


Contributors: Tamas Rudnai, Jose Barajas, Cristina Houle, Rajiv Motwani with input from Nicholas Griffin

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.