Fake Skype Vouchers website leads to Java Exploits

I stumbled upon a fake website that targets Skype users through vouchers or gift certificates. Below is the definition of Skype vouchers from their website:

Skype vouchers are electronic Skype Credit vouchers sold in various retail outlets. You don’t have to pay for the vouchers online and they make a great gift for family and friends so that you can keep in touch through Skype.

Vouchers are sometimes included with Skype accessories, or as part of a promotion.

Let's have a look of what is inside the said fake page:

[caption id="attachment_514" align="aligncenter" width="300" caption="Figure 1: Source of the fake website"][/caption]

Figure 1 shows the misleading title. You can also see a hidden iframe connecting to a different website.

Following the hidden iframe, we will now get an obfuscated script.

[caption id="attachment_512" align="aligncenter" width="300" caption="Figure 2: Obfuscated script"][/caption]

Some variables are highlighted in Figure 2. These variables will eventually become a window.eval() function when the script is executed. Now, let us modify the script in order for our script emulator to capture the result of the eval() function:

[caption id="attachment_510" align="aligncenter" width="300" caption="Figure 3: Modification part 1"][/caption]

Figure 3 shows that we need to remove some "if-statements" to make sure that our script will execute. You will also notice that one if-statement checks for the current year. The script will not run properly if it was not satisfied. In addition, proper deobfuscation of the script also depends on the value of the integer in the year check. We will tackle more about this in a while. For now, let's just deobfuscate this script.

[caption id="attachment_511" align="aligncenter" width="300" caption="Figure 4: Modification part 2"][/caption]

Figure 4 shows which variable will become the eval() function. After the modifications, execute the script and then dump the eval result. Figure 5 below will show you the result.

[caption id="attachment_513" align="aligncenter" width="300" caption="Figure 5: Deobfuscated script code"][/caption]

Now, you will see another set of hidden iframes that connect to another site. The said site will now load 2 malicious Java files:

[caption id="attachment_515" align="aligncenter" width="300" caption="Figure 6: Load Java applets"][/caption]

Sample 1: Java Exploit
MD5 hash: d3f933524c85c96a76f7ffd516d335c0
Virus Total scan result available here

Sample 2: Java Exploit
MD5 hash: 58db6e6e25d9b8e4742f2ef9b43c3818
Virus Total scan result available here

These Java files exploit the following vulnerability:

CVE-2011-3544 - Oracle Java Applet Rhino Script Engine Remote Code Execution

Going back to the date check and value change, Figure 7 shows that we changed the integer value from "012" to "011".

[caption id="attachment_524" align="aligncenter" width="300" caption="Figure 7: Integer value modification"][/caption]

Now, let's dump the result to a file.

[caption id="attachment_521" align="aligncenter" width="300" caption="Figure 8: Result of the wrong value"][/caption]

You can see in Figure 8 that the result is now just a bunch of non-readable strings.

Source:
malwaredomainlist


References:
Skype
Virustotal
cve.mitre.org
Sourceforge