2014-09-12 - NUCLEAR EK SENDS SILVERLIGHT EXPLOIT

ASSOCIATED FILES:

 

NOTES:

 

PREVIOUS BLOG ENTRIES ON NUCLEAR EK FROM (WHAT I ASSUME IS) THIS SAME ACTOR:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

NUCLEAR EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-12-Nuclear-EK-flash-exploit.swf
File size:  5.7 KB ( 5818 bytes )
MD5 hash:  7944c40f927a0f51b49783f5859138e8
Detection ratio:  2 / 53
First submission:  2014-09-12 12:41:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7d39aa13f1463fd1d7be17a2ba0aa212ab95f76b6eaaaf1442c22c50ca84eee5/analysis/

 

PDF EXPLOIT:

File name:  2014-09-12-Nuclear-EK-pdf-exploit.pdf
File size:  9.7 KB ( 9970 bytes )
MD5 hash:  b8a7e7125298fb722a6f8837f1563fec
Detection ratio:  1 / 53
First submission:  2014-09-12 14:18:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/373523e0cff2e6f13fcf548dd089aed0e6267be98dccff79ef2f2f6aa2e55d9a/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-09-12-Nuclear-EK-silverlight-exploit.xap
File size:  8.1 KB ( 8283 bytes )
MD5 hash:  d106b3298ea33fdf8fe12c5aab321b4d
Detection ratio:  1 / 55
First submission:  2014-09-12 14:19:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/409c93d0363a10c28bd3652eb3ae0e95fad74532126243f58e2e01856179ea8b/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-12-Nuclear-EK-malware-payload.exe
File size:  324.0 KB ( 331776 bytes )
MD5 hash:  3e98af224acfc0654835f22b2fa55d9b
Detection ratio:  3 / 55
First submission:  2014-09-12 14:19:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d8a19f7f456554b8093cf84df9544ae8bf8b991b9da7ec959636e31918b55181/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

Malicious iframe in javascript file from compromised website:

 

Redirect pointing to Nuclear EK:

 

Nuclear EK delivers Silverlight exploit.  I cannot remember seeing a Silverlight from Nuclear EK before:


 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.