2014-12-25 - NUCLEAR EK FROM WINDIGO GROUP - 67.215.1[.]162
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-12-25-Nuclear-EK-from-Windigo-group-traffic.pcap.zip 375.2 kB (375,198 bytes)
- 2014-12-25-Nuclear-EK-from-Windigo-group-malware.zip 132.1 kB (132,134 bytes)
NOTES:
- Working during the holidays and saw an Operation Windigo-style redirect generated by www.stars-hk[.]com.
- I infected a vulnerable VM by viewing www.stars-hk[.]com through a Google search.
- For more information about Operation Windigo, ESET published a report avaialable here.
Shown above: Adultfriendfinder appeared after clicking on Google search result for www.stars-hk[.]com.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 59.188.3[.]145 - www.stars-hk[.]com - Comrpomised website
- 67.215.1[.]162 - v3n3j7hjo9n9azf0tie0hwx.alicisemsiye[.]com - Redirect
- 67.215.1[.]162 - v3n3j7hjo9n9azf0tie0hwx2199542d41c61787068de91c848581d49.alicisemsiye[.]com - Redirect
- 67.215.1[.]162 - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - Nuclear EK
TRAFFIC:
- 21:02:19 UTC - www.stars-hk[.]com - GET /
- 21:02:21 UTC - v3n3j7hjo9n9azf0tie0hwx.alicisemsiye[.]com - GET /index.php?m=Yndta3Z4ZT16amR4a3JibWomdGltZT0xNDEyMjUyMDQ3MjI1NzcxMzIzOSZzcm
M9MTk5JnN1cmw9d3d3LnN0YXJzLWhrLmNvbSZzcG9ydD04MCZrZXk9RTU4MUIyRUImc3VyaT0v - 21:02:23 UTC - v3n3j7hjo9n9azf0tie0hwx2199542d41c61787068de91c848581d49.alicisemsiye[.]com - GET /get_gift.php
NUCLEAR EK:
- 21:02:26 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /H0FXBkgDT0U.html
- 21:02:29 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /AwoVG00BARYOVxlUDlRTBQsGQ0NVV1YOVFcAHAFFQEhUUkdLVQQCTxEeVA
- 21:02:30 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtHGg4gPh8z
- 21:02:35 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtHGg8_AgYJe0ZPRQ
- 21:02:36 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /AwoVG00BARYOVxlUDlRTBQsGQ0NVV1YOVFcAHAFFQEhUUkdLVQQCTwQbChMDAA
- 21:02:38 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtKGg4gPh8z
- 21:02:42 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye[.]com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtKGg8_AgYJe0ZPRQ
REDIRECT AFTER THE INFECTION TO ADULTFRIENDFINDER:
- 21:02:46 UTC - bzwyns6jjb3gbhlg7qlyxmp.escortbayancix[.]com - GET /get_ads.php?yy=1&aid=2&atr=exts&src=199
- 21:02:48 UTC - adultfriendfinder[.]com - GET /go/p1011105.subexts
- 21:02:49 UTC - adultfriendfinder[.]com - GET /go/page/landing_page_68?nid=14&layout=qna&pid=p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
- 21:02:51 UTC - graphics.pop6[.]com - GET /javascript/live_cd/popunder_script-1400195675.js
- 21:02:51 UTC - graphics.pop6[.]com - GET /images/ffadult/css/header.css
- 21:02:51 UTC - graphics.pop6[.]com - GET /css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css
[and so on...]
MALWARE
- 2014-12-25-Nuclear-EK-flash-exploit.swf - Virus Total link
- 2014-12-25-Nuclear-EK-silverlight-exploit.xap - Virus Total link
- 2014-12-25-Nuclear-EK-payload-from-Windigo-group.exe (Glupteba) - Virus Total link
Click here to return to the main page.