Hierarchy Exploit Pack. New crimeware for the cybercriminal gangs
The term "hierarchy" refers to an entity pyramidal action. Judging by the name of this new Exploit Pack of Russian origin, it seems that the author seeks to find its place within the criminal ecosystem, but all point to the feelings behind this is, above all, a beginner who seeks criminal more.
However, despite being a package of more criminal exploitation within a vast range of alternatives, it remains a real risk for any information system. Even considering that Hierarchy Exploit Pack criminal market reaches a stage where the circuit is ripe with a range of crimeware "vip" found not only among the list of "best crimeware" for criminals but also in the center of the storm-crime.
Under the nickname "Angelolog" hides its author. A nickname striking since according to their semantics, refers to "a branch of theology that deals with the study of angels". A rather obvious contradiction.
Under the nickname "Angelolog" hides its author. A nickname striking since according to their semantics, refers to "a branch of theology that deals with the study of angels". A rather obvious contradiction.
As usual, when an offender is "started in the business", does registering a domain that includes the same name as crimeware. Although clearly not the only domain that has been in the first instance. In this case, the data are as follows:
Владелец: Private Person
DNS-сервер: ns1.luckhost.kz.
DNS-сервер: ns2.luckhost.kz.
Телефон: +380933900884
E-mail: angelolog@mail.ru
Состояние: REGISTERED, DELEGATED, VERIFIED
Регистратор: REGRU-REG-RIPN
Создан: 2011.03.01
Оплачен до: 2012.03.01
The AS6876 (TENET-AS TeNeT Autonomous System TeNeT Telecommunication Company) found in Ukraine, isn't classified as malicious which suggests that "angelolog", a spammer menial, does not take long in the area of crime.
While at first glance the design of the control panel is similar to the old Siberia Exploit Pack, it's actually a modification of Eleonore Exploit Pack. The evidence is very clear.
Hierarchy Exploit Pack contains the following exploits:
Office OCX
OpenWebFile Office OCX OpenWebFile arbitrary program execution BID-33243
MDAC
Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003
AppStream LaunchObj
Symantec AppStream LaunchObj ActiveX control vulnerable to arbitrary code download and execution CVE-2008-4388
Hummingbird PerformUpdateAsync
Hummingbird Deployment Wizard ActiveX Control Insecure Methods (PerformUpdateAsync) CVE-2008-4728
Peachtree ExecutePreferredApplication
Peachtree insecure ExecutePreferredApplication method allows the execution of arbitrary programs CVE-2008-4699
C6 propDownloadUrl
C6 Messenger insecure method propDownloadUrl allows the execution of arbitrary programs CVE-2008-2551
Adobe getIcon
Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927
Adobe Libtiff
Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188
HPC URL
Help Center URL Validation Vulnerability CVE-2010-1885
IE iepeers.dll
Internet Explorer iepeers.dll use-after-free CVE-2010-0806
Sun Java Runtime RMIConnectionImpl
Privileged Context Remote Code Execution Vulnerability CVE-2010-0094
Sun Java Runtime Environment MixerSequencer
Invalid Array Index Remote Code Execution Vulnerability CVE-2010-0842
AFP Server Mac OS X v10.6.5
Remote attacker AFP Server to unexpectedly shutdown CVE-2010-1297
Sun Java Web Start BasicServiceImpl
Remote Code Execution Vulnerability CVE-2010-3563
Adobe Flash Player 10.2.153.1
SWF Memory Corruption Vulnerability CVE-2011-0611
Oracle Java SE
Rhino Script Engine Remote Code Execution Vulnerability CVE-2011-3544
It also incorporates the following malware:
payload.ser [F6795195968795C535EF6932A843E969] – 16/42
Exploit$1.class [625B6B915327D352E437B34D85FB67E2] – 1/44
Exploit$1.class [DD49FADD9372CBDEF709BB9F0B1105C7] – 2/43
Link.class [3013C223A80371BCA0798E1C21683305] – 11/44
Exploit.class [77E8E1CFCC6F0894015D8CA271BBBEF5] – 12/43
BasicServiceExploit.class [A63C9DB17FE7F60370B4FFD659B61B36] – 3/43
Exploit$1$1.class [21F2312A9D50F72810E242F72E751243] – 1/43
swf.swf [6EFD1CE8DC61C68BAD3B85A949709DD2] – 24/43
Exploit$.class [452CD049CE83E72F5C642F7457F4AA93] – 2/43
Gallery_Viewer.class [03497E41A5A5A6A6F92E2950AA087C06] – 8/44
Exploit.class [334EC1071B85D52A3DA4223ED7DC6D74] – 4/43
PayloadClassLoader.class [8563342ADD46F7EADC8745BB10267B2A] – 14/43
Gallery_Viewer.jar [1C73218F0CAF238400EB86E635862279] – 13/43
Gallery_Viewer.jar [2C4DF43924D237B56DB4096E6AF524B1] – 13/43
1.txt [CF7A4C337F3DA524350AC794B589F804] – 8/43
pdf.pdf [60CADBD724A6BF0527B5E731492D8A0F] – 16/43
Exploit.jar [69767793D644D6060A060133A6014CB9] – 21/42
1.exe [8321D8B973CE649252DF9C560B875647] – 9/43
Payload.class [EEB9BA7FB4F752E1249E696B638D4732] - 13/43
Exploit.jar [19A512A3CCBA3FCDEAA5262E82F0DECE] - 26/43
pdf5.pdf [2AD31CABE2527C5F94B2C351F6529F17] - 9/43
pdf4.pdf [48C583A82A004EC1B17688215E173EFB] - 11/43
swf.swf [4666A447105B483533B2BBD0AB316480] - 19/43
bot.exe [7AB9E8AC261D2A49D87EF304ADE03BA3] – 26/43
Regarding the exploits offer presented by this crimeware, it seems it is a "salad of exploits" which leads to assume, considering also that is a mod that the author could be a "collector Exploit Pack", performing their own development (without effort) through a "grout" of exploits of old Exploits Packs which is easily available in most underground forums.
On the other hand, the level of detection in almost all cases is on average less than 50%, which represents a critical aspect of any information system. Thus, no matter it's a crimeware without much representation in the criminal environment without a lot of creativity and without effective exploitation rate for the offender, it remains a latent threat. Especially when experience shows that old exploits as MDAC described in CVE-2006-0003, have a strong impact even after nearly six years to fix the bug that was exploited.
On the other hand, the level of detection in almost all cases is on average less than 50%, which represents a critical aspect of any information system. Thus, no matter it's a crimeware without much representation in the criminal environment without a lot of creativity and without effective exploitation rate for the offender, it remains a latent threat. Especially when experience shows that old exploits as MDAC described in CVE-2006-0003, have a strong impact even after nearly six years to fix the bug that was exploited.
Related Information
Inside Phoenix Exploit’s Kit 2.8 mini version
Black Hole Exploit Kit 1.1.0 Inside
YES Exploit System as Crimeware-as-a-Service
BOMBA Botnet. New alternative crimeware fuel the economy criminal
State of the art in Eleonore Exploit Pack II
JustExploit. New Exploit kit that uses vulnerabilities in Java
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to control botnets
Black Hole Exploit Kit 1.1.0 Inside
YES Exploit System as Crimeware-as-a-Service
BOMBA Botnet. New alternative crimeware fuel the economy criminal
State of the art in Eleonore Exploit Pack II
JustExploit. New Exploit kit that uses vulnerabilities in Java
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to control botnets
Ale Cantis, Senior Crimeware Researcher
Cybercrime Research Team
Crimeware Working Group & CrimewareAttack Service | MalwareIntelligence
Ver más
Crimeware Working Group & CrimewareAttack Service | MalwareIntelligence