Hierarchy Exploit Pack: New Crimeware for the Gangs

Thursday, May 31, 2012

Jorge Mieres

192a6e6df92a5ebd88de9b476fdd350d

Ale Cantis, Senior Crimeware Researcher and CrimewareAttack Services team member of MalwareIntelligence, tells us about a new Exploit Pack which adds to the range of offerings within the scope cyber crime: Hierarchy.

The term "hierarchy" refers to an entity pyramidal action. Judging by the name of this new Exploit Pack of Russian origin, it seems that the author seeks to find its place within the criminal ecosystem, but all evidence points to the feelings behind this is, above all, a beginner who seeks to be a criminal.

(click image to enlarge)


image

However, despite being a package of more criminal exploitation within a vast range of alternatives, it remains a real risk for any information system. Even considering that the Hierarchy Exploit Pack criminal market reaches a stage where the circuit is ripe with a range of crimeware "vip" found not only among the list of "best crimeware" for criminals, but it is also in the center of the crime storm.

Under the nickname "Angelolog" hides its author. The nickname is striking since according to their semantics, it refers to "a branch of theology that deals with the study of angels". A rather obvious contradiction.

(click image to enlarge)


image    

As usual, when an offender gets "started in the business", they do so by registering a domain that includes the same name as their crimeware. Although, this clearly is not the only domain that has been at the first instance.

In this case, the data are as follows:  

Домен: ANGELOLOG-HIERARCHY.RU
Владелец: Private Person
DNS-сервер: ns1.luckhost.kz.
DNS-сервер: ns2.luckhost.kz.
Телефон: +380933900884
E-mail: angelolog@mail.ru
Состояние: REGISTERED, DELEGATED, VERIFIED
Регистратор: REGRU-REG-RIPN
Создан: 2011.03.01
Оплачен до: 2012.03.01

(click image to enlarge)

image

The AS6876 (TENET-AS TeNeT Autonomous System TeNeT Telecommunication Company) found in Ukraine, isn't classified as malicious, which suggests that "angelolog", a spammer menial, has not been active long in the area of ​​cyber crime.  

(click image to enlarge)

image

While at first glance, the design of the control panel is similar to the old Siberia Exploit Pack, it's actually a modification of the Eleonore Exploit Pack. The evidence is very clear:

(click image to enlarge)

image

 Its structure is similar:

(click image to enlarge)

image

Hierarchy Exploit Pack contains the following exploits:

Office OCX 

  • OpenWebFile Office OCX OpenWebFile arbitrary program execution BID-33243

MDAC 

  • Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003

AppStream LaunchObj 

  • Symantec AppStream LaunchObj ActiveX control vulnerable to arbitrary code download and execution CVE-2008-4388

Hummingbird PerformUpdateAsync 

  • Hummingbird Deployment Wizard ActiveX Control Insecure Methods (PerformUpdateAsync) CVE-2008-4728

Peachtree ExecutePreferredApplication 

  • Peachtree insecure ExecutePreferredApplication method allows the execution of arbitrary programs CVE-2008-4699

C6 propDownloadUrl 

  • C6 Messenger insecure method propDownloadUrl allows the execution of arbitrary programs CVE-2008-2551

Adobe getIcon 

  • Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927

Adobe Libtiff 

  • Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188

HPC URL 

IE iepeers.dll 

Sun Java Runtime RMIConnectionImpl 

  • Privileged Context Remote Code Execution Vulnerability CVE-2010-0094

Sun Java Runtime Environment MixerSequencer 

  • Invalid Array Index Remote Code Execution Vulnerability CVE-2010-0842

AFP Server Mac OS X v10.6.5

  • Remote attacker AFP Server to unexpectedly shutdown CVE-2010-1297

Sun Java Web Start BasicServiceImpl 

Adobe Flash Player 10.2.153.1 

Oracle Java SE 

  • Rhino Script Engine Remote Code Execution Vulnerability CVE-2011-3544


It also incorporates the following malware:

payload.ser [F6795195968795C535EF6932A843E969] – 16/42
Exploit$1.class [625B6B915327D352E437B34D85FB67E2] – 1/44
Exploit$1.class [DD49FADD9372CBDEF709BB9F0B1105C7] – 2/43
Link.class [3013C223A80371BCA0798E1C21683305] – 11/44
Exploit.class [77E8E1CFCC6F0894015D8CA271BBBEF5] – 12/43
BasicServiceExploit.class [A63C9DB17FE7F60370B4FFD659B61B36] – 3/43
Exploit$1$1.class [21F2312A9D50F72810E242F72E751243] – 1/43
swf.swf [6EFD1CE8DC61C68BAD3B85A949709DD2] – 24/43
Exploit$.class [452CD049CE83E72F5C642F7457F4AA93] – 2/43
Gallery_Viewer.class [03497E41A5A5A6A6F92E2950AA087C06] – 8/44
Exploit.class [334EC1071B85D52A3DA4223ED7DC6D74] – 4/43
PayloadClassLoader.class [8563342ADD46F7EADC8745BB10267B2A] – 14/43
Gallery_Viewer.jar [1C73218F0CAF238400EB86E635862279] – 13/43
Gallery_Viewer.jar [2C4DF43924D237B56DB4096E6AF524B1] – 13/43
1.txt [CF7A4C337F3DA524350AC794B589F804] – 8/43
pdf.pdf [60CADBD724A6BF0527B5E731492D8A0F] – 16/43
Exploit.jar [69767793D644D6060A060133A6014CB9] – 21/42
1.exe [8321D8B973CE649252DF9C560B875647] – 9/43
Payload.class [EEB9BA7FB4F752E1249E696B638D4732] - 13/43
Exploit.jar [19A512A3CCBA3FCDEAA5262E82F0DECE] - 26/43
pdf5.pdf [2AD31CABE2527C5F94B2C351F6529F17] - 9/43
pdf4.pdf [48C583A82A004EC1B17688215E173EFB] - 11/43
swf.swf [4666A447105B483533B2BBD0AB316480] - 19/43
bot.exe [7AB9E8AC261D2A49D87EF304ADE03BA3] – 26/43

Regarding the exploit offer presented by this crimeware, it seems it is a "salad of exploits" which leads one to assume, considering also that is a mod, that the author could have created a "collector Exploit Pack", performing their own development (without effort) through a "grout" of old Exploit Packs which are easily available in most underground forums.

On the other hand, the level of detection in almost all cases is on average less than 50%, which represents a critical aspect of any information system. Thus, no matter if it's crimeware without much representation in the criminal environment, without a lot of creativity, and without an effective exploitation rate for the offender, it remains a latent threat.

Especially when experience shows that old exploits such as MDAC described in CVE-2006-0003, have a strong impact even after nearly six years that patch to fix the bug that was released.

Possibly Related Articles:
15893
Viruses & Malware
Information Security
malware Cyber Security Cyber Crime Crimeware Exploits toolkit Black Market Hierarchy Exploit Pack
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.