2014-05-08 - NUCLEAR EK - 2 EXAMPLES STARTED BY SAME AD URL - JAVA EXPLOIT CHANGING DAILY

ASSOCIATED FILES:

NOTES:

 

CHAIN OF EVENTS

NOTE  The flow is: redirect chain, Nuclear EK, callback traffic, start of click-fraud traffic

NUCLEAR EK TRAFFIC - WEDNESDAY 2014-05-07:

 

NUCLEAR EK TRAFFIC - THURSDAY 2014-05-08:

 

PRELIMINARY MALWARE ANALYSIS

MALWARE FROM MONDAY 2014-05-07:

MALWARE FROM TUESDAY 2014-05-08:

 

Note the changes in Java exploits from one day to the next:

 

More info on the malware payloads:

 

SNORT EVENTS

SNORT EVENTS FOR THE TRAFFIC ON THURSDAY 2014-05-08 (from Sguil on Security Onion)

 

HIGHLIGHTS FROM 2014-05-08 TRAFFIC

asrv-a.akamaihd.net - GET /sd/apps/fusionx/0.0.4.html?aff=1800-1005

 

asrv-a.akamaihd.net - GET /sd/apps/fusionx/0.0.4.js   --   obfuscated javascript points to ad.convfunnel.com

 

ad.convfunnel.com - GET /fusionx/www/delivery/afr.php?zoneid=1746&cb=20286809962   --   iframe points to dialectical.northshoreiceco.net

 

dialectical.northshoreiceco.net - GET /js/1.8.3/jquery.min.js?ver=3.70.3907   --   another iframe points to Nuclear EK domain

 

Nuclear EK sends Java exploit:

 

Nuclear EK Java exploit gets malware payload:

 

Asprox-style callback for more malware:

 

Callback traffic that triggered alerts for Zbot.hmcm Checkin and Asprox.ClickFraudBot POST CnC Beacon:

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.