Malware-Traffic-Analysis.net - 2015-02-11

2015-02-11 - WINDIGO GROUP NUCLEAR EK

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

NOTES:

For more information about Operation Windigo, ESET published a report available here.

A key indicator for Operation Windigo is traffic that triggers the EmergingThreats alert ET CURRENT_EVENTS Cushion Redirection (sid:2017552)

Here are IP addresses and domains I've noticed for Cushion redirection so far this year (ones not previously posted on this blog):

2015-01-13 19:41 UTC - 147.52.82[.]14 - kb99620dyrwcw362xeuxgxl.avantajsepeti[.]com
2015-01-19 18:33 UTC - 41.77.113[.]241 - fbno0lxhdl0b9o8jlmkapji.pasa-konaklari[.]com
2015-02-01 17:40 UTC - 192.210.50[.]30 - 8h6gwzm98f6jd4wz23alii.multitekservisi[.]com
2015-02-02 20:26 UTC - 188.40.162[.]97 - yiyij1wr6ln5ok7kd0pqptl.serinova[.]av[.]tr
2015-02-03 19:09 UTC - 95.154.166[.]120 - q1emcieunrhvrln3d9gejnf.balmina[.]com
2015-02-09 01:00 UTC - 5.39.98[.]0 - ldci5g6gdvc22g3wobdkzhg.sembolferforje[.]com
2015-02-09 21:48 UTC - 108.178.39[.]50 - jfxh1jnieikf6hrefbhcdxi.seyahatdefteri[.]com
2015-02-09 23:28 UTC - 108.178.39[.]50 - hv1nhh4j1vta2bo1v2tg2ij.syaivo[.]org

In today's Nuclear EK traffic, the Flash exploit was the same all three times:

2015-02-11-Windigo-Group-Nuclear-EK-flash-exploit.swf - MD5 hash: 6f7b6c70739822e804d1d25b3329ba22

But the landing pages and malware payloads were different each time:

2015-02-11-Windigo-Group-Nuclear-EK-landing-page-example-01.txt - MD5 hash: cb13f231d210972c8556617549bd281a
2015-02-11-Windigo-Group-Nuclear-EK-landing-page-example-02.txt - MD5 hash: d502692f6e958e53dc7fa0b4af07d1fc
2015-02-11-Windigo-Group-Nuclear-EK-landing-page-example-03.txt - MD5 hash: ecb1c1131cac64b254f1bf8b2d5af785
2015-02-11-Windigo-Group-Nuclear-EK-malware-payload-example-01.exe - MD5 hash: 465d0219b4834a79145c6eac6498cf6c
2015-02-11-Windigo-Group-Nuclear-EK-malware-payload-example-02.exe - MD5 hash: 3b1231f9109efafd8d7d5b95115dd252
2015-02-11-Windigo-Group-Nuclear-EK-malware-payload-example-03.exe - MD5 hash: 9c66b528aff41e103a479e3fe717d2d4

The malware payload appears to be the same basic file, just changed enough for a different file hash.

filestore72[.]info has been compromised by the Windigo Group and is generating the Cushion redirect. This domain is normally used to push fake Java updates and similar files:

TODAY'S TRAFFIC

ASSOCIATED DOMAINS:

67.222.18[.]12 port 80 - www.primehealthchannel[.]com - Compromised website leading to Cushion redirect
67.192.7[.]1 port 80 - forums.mightycarmods[.]com - Compromised website leading to filestore72[.]info
66.199.231[.]59 port 80 - filestore72[.]info - Compromised website leading to Cushion redirect
50.116.3[.]10 port 80 - [23 characters].filmizlemefullhd[.]org - Cushion redirect
50.116.3[.]10 port 80 - [23 characters].filmtane[.]com - Nuclear EK

COMPROMISED WEBSITE AND CUSHION REDIRECT CHAIN - EXAMPLE 1:

2015-02-11 16:39:21 UTC - www.primehealthchannel[.]com - GET /
2015-02-11 16:39:22 UTC - on2wyqlx7ny7x9plbfu6vg7.filmizlemefullhd[.]org - GET /index.php?p=enhwZmJhPWFpeWhvcGsmdGltZT0xNTAyMTExNjM4MzYyNzYyODQ1NC
ZzcmM9MTc3JnN1cmw9d3d3LnByaW1laGVhbHRoY2hhbm5lbC5jb20mc3BvcnQ9ODAma2V5PTU5QUU1QzE3JnN1cmk9Lw==
2015-02-11 16:39:23 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane[.]com - GET /watch.php?kcppp=MTE3NzU5ODg2Nzk3NjRlY2M0MmJiNDk3M2NmZGVkM2Fl

NUCLEAR EK - EXAMPLE 1:

2015-02-11 16:39:23 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane[.]com - GET /BQdXBkRUTQg.html
2015-02-11 16:39:24 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane[.]com - GET /Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs
2015-02-11 16:39:26 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane[.]com - GET /BV4NBkQDAQ9SHwMfBh1SDFcCDwBRBVcHHVUOSwABAE0FUBlQUg0ZBkVaLVcSWzAXWj0
2015-02-11 16:39:28 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane[.]com - GET /BV4NBkQDAQ9SHwMfBh1SDFcCDwBRBVcHHVUOSwABAE0FUBlQUg0ZBkVnFHwARhgzRFc

COMPROMISED WEBSITE AND CUSHION REDIRECT CHAIN - EXAMPLE 2:

2015-02-11 16:53:13 UTC - filestore72[.]info - GET /download.php?id=1f07dba3
2015-02-11 16:53:13 UTC - on2wyqlx7ny7x9plbfu6vg7.filmizlemefullhd[.]org - GET /index.php?r=eGVobHlpPWRxd3F3dSZ0aW1lPTE1MDIxMTE2Mzg0MzkwNjU1MTMmc3
JjPTc2JnN1cmw9ZmlsZXN0b3JlNzIuaW5mbyZzcG9ydD04MCZrZXk9Mzc3MTBDQTYmc3VyaT0vZG93bmxvYWQucGhwJTNmaWQ9MWYwN2RiYTM=
2015-02-11 16:53:13 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane[.]com - GET /watch.php?gfzb=MTA3NjU5ODg2N2E1OTc3Mjg0MmJiNGE0MmE1NWViODUz

NUCLEAR EK - EXAMPLE 2:

2015-02-11 16:53:14 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane[.]com - GET /Vl4LBxpUHQI.html
2015-02-11 16:53:15 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane[.]com - GET /UR5CHgRdWFYeBU0FGgNWVFZXBFEBCQQaBFRIVFkETAMFGlAEHgAJUw
2015-02-11 16:53:17 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane[.]com - GET /Ug9eBxoHWQoHSABIV05TUldSBVUHBAxWTlRQS1ALVRoGAEgEVBpSHWAKfGBDAFAJ
2015-02-11 16:53:19 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane[.]com - GET /Ug9eBxoHWQoHSABIV05TUldSBVUHBAxWTlRQS1ALVRoGAEgEVBpSHXktemd6NmIeVA

COMPROMISED WEBSITE AND CUSHION REDIRECT CHAIN - EXAMPLE 3:

2015-02-11 17:34:27 UTC - filestore72[.]info - GET /download.php?id=1f07dba3
2015-02-11 17:34:27 UTC - uja1215vdybnvy9zqh5p1ng.filmizlemefullhd[.]org - GET /index.php?y=cHJnZXlwcT1zZXNucWRpJnRpbWU9MTUwMjExMTcyMzMxMzk4ODY3M
jYmc3JjPTc2JnN1cmw9ZmlsZXN0b3JlNzIuaW5mbyZzcG9ydD04MCZrZXk9MzExRDdDQkQmc3VyaT0vZG93bmxvYWQucGhwJTNmaWQ9MWYwN2RiYTM=
2015-02-11 17:34:30 UTC - bwltnfa1gfzpwv767eiapf9.filmtane[.]com - GET /watch.php?irejci=MTA3NjU5ODg2N2Y2NjRjMTM0MmJiNDI4YmU3Mzk1MTU3

NUCLEAR EK - EXAMPLE 3:

2015-02-11 17:34:30 UTC - 6pltzo1mje3i27lt6v3espp.filmtane[.]com - GET /VFUFXRkEGQQ.html
2015-02-11 17:34:31 UTC - 6pltzo1mje3i27lt6v3espp.filmtane[.]com - GET /BkhGRFJQVlBFBkhSTAcMVwZTAg8HAFNMAA5LBF0CFwECTQEFARlTCQc
2015-02-11 17:34:33 UTC - 6pltzo1mje3i27lt6v3espp.filmtane[.]com - GET /BVlaXRkCAAZcSwUfAUoJUQdWAw4BBFcASg5TG1QNDhkCVR4HC1xJUklgRUMTVVN-H3w2
2015-02-11 17:34:34 UTC - 6pltzo1mje3i27lt6v3espp.filmtane[.]com - GET /BVlaXRkCAAZcSwUfAUoJUQdWAw4BBFcASg5TG1QNDhkCVR4HC1xJUklaRnkLYVJSJEcZBw

Click here to return to the main page.