2015-02-05 - BIZCN GATE ACTOR CHANGES IP ADDRESS, DOMAIN NAMES, AND URL PATTERN FOR ITS GATE

ASSOCIATED FILES:

 

NOTES:

 

DOMAINS USED FOR THIS GATE

This month, we started seeing the gate's IP address on 136.243.224.9.  The domains were registered on 2015-01-17 and 2015-01-29 (mostly on 2015-01-29).  Here's some passive DNS data on the new gate IP address:

As of today, we found 29 domains hosted on this IP address:

 

URL PATTERNS USED BY THIS GATE

Searching through some web proxy logs, we found the following traffic with that redirect/gate traffic on 136.243.224.9:

 

TRAFFIC FROM AN INFECTED VM

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE:

 

REDIRECT/GATE ON 136.243.224.9:

 

FIESTA EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-02-05-Fiesta-EK-flash-exploit.swf
File size:  10.0 KB ( 10212 bytes )
MD5 hash:  c2ea28cb4d520b982e3a02f9655af53b
Detection ratio:  3 / 56
First submission:  2015-02-04 17:39:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/40fe5cdec1ebc23d6864c976ebb43889f6b86619d199f06022283c7a85443805/analysis/

 

JAVA EXPLOIT:

File name:  2015-02-05-Fiesta-EK-java-exploit.jar
File size:  7.8 KB ( 7999 bytes )
MD5 hash:  dfe8961737a28c4be84f93e80641fc08
Detection ratio:  8 / 56
First submission:  2015-02-03 21:12:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4a8f47b1b78d7ccdb7e5eef18adb4baffd05d902e576721d6d373380633ce16e/analysis/

 

PDF EXPLOIT:

File name:  2015-02-05-Fiesta-EK-pdf-exploit.pdf
File size:  8.1 KB ( 8301 bytes )
MD5 hash:  ac8c44f15af75f517d6f3400e880aee8
Detection ratio:  7 / 56
First submission:  2015-02-05 17:44:35 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9c26fb69b19761e2ab78d48eb70e4d80c19f139bc432a9b78aa873d264c45304/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-02-05-Fiesta-EK-silverlight-exploit.xap
File size:  10.3 KB ( 10499 bytes )
MD5 hash:  03ad60de3dd43ccca44dd112e2835c56
Detection ratio:  6 / 56
First submission:  2015-02-05 17:44:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d0e0e150db0bff89f1e5a5f54d0e5dc3d7793a70979803206394d90af22258b/analysis/

 

MALWARE PAYLOAD:

File name:  2015-02-05-Fiesta-EK-malware-payload.exe
File size:  136.0 KB ( 139264 bytes )
MD5 hash:  1b64a13fac1d55083de54723b3e7b422
Detection ratio:  4 / 56
First submission:  2015-02-05 17:45:21 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c160f801d0173a5dd45db19e30dc28e909321cf8e75535ddfe1f29fa81d716bf/analysis/
Malwr link:  https://malwr.com/analysis/NmVjZjMxZjg0MzhlNGY3NWJjMGU2ZGZmNDBmNDhhNGI/

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Redirect pointing to the exploit kit's landing page URL:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.