2015-08-19 - BIZCN GATE ACTOR NUCLEAR EK FROM 31.214.157[.]20 - BLIZFONE[.]CF

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-08-19-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
• 2015-08-19-BizCN-gate-actor-Nuclear-EK-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• Did not get the malware payload.  Only saw the EK send a Flash exploit.  Was running Flash 18.0.0.209, which is apparently not out-of-date enough for Nuclear EK right now.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK on 107.191.63[.]163 - various domains
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92 - newsolar[.]ga
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29 - alefree[d].ml
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196 - joston2[.]xyz
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167[.]124 - andrian2[.]xyz
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131[.]131 - foundhere[.]xyz & namesoizze[.]xyz
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114[.]126 - imhed[.]xyz
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120[.]33 - andsoresto[.]link
• 2015-07-30 - BizCN gate actor Nuclear EK on 46.101.18[.]39 - mukasore[.]xyz & florenses[.]xyz
• 2015-08-14 - BizCN gate actor Nuclear EK on 89.238.181[.]74 - free3dprint[.]cf
• 2015-08-19 - BizCN gate actor Nuclear EK on 31.214.157[.]20 - blizfone[.]cf  (this blog post)

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.woogerworks[.]com - Compromised website
• 136.243.25[.]245 port 80 - stranieistor[.]com - BizCN-registered gate
• 31.214.157[.]20 port 80 - blizfone[.]cf - Nuclear EK

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-08-19 00:43:27 UTC - www.woogerworks[.]com - GET /
• 2015-08-19 00:43:28 UTC - stranieistor[.]com - GET /zuxsWIimQnKZ/zqR-n-WuOPrU_N_Vw/Nvy--_mM-R_VkPZS.js?FLmQr=4Wfx&Dh=c-4&cbumC-V=09&pXT=fc&
  XUP=fds&B_g_-_Tv=awfo&7-TEJy4Q6=_cs7&A=53&AZzHg_Ky=a

 

NUCLEAR EK:

• 2015-08-19 00:43:30 UTC - blizfone[.]cf - GET /search?q=dAFtYURcHAA&BRo=7e1626&Ovcz=bEYH1UETF&j3XHK2l=cMYV0hUWFAe&DeyMr=86984e7c&1s7=aD1pSUU
• 2015-08-19 00:43:30 UTC - blizfone[.]cf - GET /search?q=dAFtYURcHAA&BRo=7e1626&Ovcz=bEYH1UETF&j3XHK2l=cMYV0hUWFAe&DeyMr=86984e7c&1s7=aD1pSUU
• 2015-08-19 00:43:30 UTC - blizfone[.]cf - GET /test?MqPs=85777ed1&Xbl1mz=dQBQUw&MPz=9c2729809&jcbhbi=aA0xGSEAFVExc&WMNlXq=bSAgYX0hUWFAeAFtYU
  RcHAEgHAwpKVwMCGghdVho&IKR=cHDAkYVwAFD&xcclz=eQHBEUCCgc

 

Click here to return to the main page.