The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: MS12-043. Without any surprise, the IP address of that domain belonged to China as shown below:
Our surprise did not end here. As the exploit of this vulnerability was released last year, it raised our interest to check how the exploit code is structured. When the exploit code was traced, it was nothing more than a sweet shock. The Chinese domain used the same exploit code hosted on the Metasploit repository for the concerned vulnerability. Now the question: Is it possible that Chinese malware authors simply deploy Metasploit exploits for easy infection process? It could be. Who knows whether the domain was infected by Chinese or it belonged to others. In addition, it is hard to say who hosted that malware but clearly, the servers were present in China.
The exploit for this vulnerability can be found in Metasploit here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb.
A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:
The exploit code was used in conjunction with the JS code hosted here: http://js.users.51.la/15240615.js.
This code dynamically generates the information about the visitor and creates log details for statistical purposes.
We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of the same exploit present in the Metasploit. Refer: Gangsterware.
The conclusive points are:
- Metasploit provides neat exploits which are easy to deploy and use.
- The evidence shows that malware authors are using Metasploit exploits.
Well, Reality bites !