2014-09-08 - NUCLEAR EK FROM 151.236.216.177 - BUBLEROSKA.SMART-SIMCHAH.COM

ASSOCIATED FILES:

• ZIP of the pcap(s):  2014-09-08-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-08-Nuclear-EK-malware.zip

 

NOTES:

• The redirect pointing to this Nuclear EK ends with 16.html instead of 15.html or some variation as we've seen in the previous few weeks.
• The malware payload pushes out pharmacy spam.  It triggers ET rules for Win32/Tofsee, and some of the anti-virus vendors call this malware "Dorifel".
• I saw a redirect (gate) URL for Nuclear EK ending with 13.html in early June 2014.  I'm guessing this is the same actor.

 

PREVIOUS BLOG ENTRIES ON NUCLEAR EK FROM THIS ACTOR:

• 2014-09-08 - Nuclear EK from 151.236.216.177 - bubleroska.smart-simchah.com -- gate: 178.62.147.65 - digirosmut.okephone.com/eghrhtrhfdgrehh16.html
• 2014-09-04 - Nuclear EK from 80.85.84.188 - afridun.autoth.com -- gate: 178.62.147.62 - puperlikis.taylormadecookies.com/ablousdec15.html?%a
• 2014-09-03 - Nuclear EK from 80.85.84.142 - giodulder.laurentiucozma.ro -- gate: 178.62.147.62:80 - ibirtused.nor-365.com/ravuekafo15.html
• 2014-08-28 - Nuclear EK from 80.85.84.142 - giodulder.laurentiucozma.ro -- gate: 178.62.156.134:80 - nikajumet.solutionoptic.com.ar/troisegahol15.html?
• 2014-08-17 - Nuclear EK from 176.58.126.215 - gegosima.rubiaguru.com.ar -- gate: 178.62.174.18:80 - exitalis.hulme.ca/bubahetar.cgi?15
• 2014-08-01 - Nuclear EK from 85.159.213.246 - paraletas.patmos-star.com -- gate: 95.85.17.107:80 - cucnaterafos.amtranexperts.com/roriskajetas15.html
• 2014-07-10 - Nuclear EK from 93.189.40.229 - gumeno.yahooaple.com -- gate: 188.226.208.231 - gosinaj.cynthiamartinez.com.ar/link15.hotbox
• 2014-06-02 - Nuclear EK from 80.240.139.203 - brozdec.uneekstudio.com -- gate: 80.240.139.203 - brozdec.uneekstudio.com/jtrsuyowertdhsrtj13.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 66.147.244.97 - www.sandalwoodmedical.ca - Compromised website
• 178.62.147.65 - digirosmut.okephone.com - Redirect
• 151.236.216.177 - bubleroska.smart-simchah.com - Nuclear EK
• various IP addresses - Post-infection traffic and pharmacy spam (see below)

 

COMPROMISED WEBSITE AND REDIRECT:

• 20:47:48 UTC - 192.168.204.151:49350 - 66.147.244.97:80 - www.sandalwoodmedical.ca - GET /contact-us/
• 20:47:48 UTC - 192.168.204.151:49353 - 66.147.244.97:80 - www.sandalwoodmedical.ca - GET /wp-includes/js/comment-reply.min.js?ver=3.9.2
• 20:47:49 UTC - 192.168.204.151:49355 - 178.62.147.65:80 - digirosmut.okephone.com - GET /eghrhtrhfdgrehh16.html

 

NUCLEAR EK:

• 20:47:49 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /88729d83lfafyn/1/9ffbf35e4190fbba62f70c8477fa3964.html
• 20:47:54 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /894761368/2/1410209280.swf
• 20:47:55 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /f/2/1410209280/894761368/7
• 20:47:59 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - bubleroska.smart-simchah.com - HEAD /894761368/2/1410209280.htm
• 20:47:59 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /894761368/2/1410209280.htm
• 20:48:35 UTC - 192.168.204.151:49361 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /894761368/2/1410209280.jar
• 20:48:35 UTC - 192.168.204.151:49361 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /f/2/1410209280/894761368/2
• 20:48:36 UTC - 192.168.204.151:49361 - 151.236.216.177:80 - bubleroska.smart-simchah.com - GET /f/2/1410209280/894761368/2/2

 

POST-INFECTION TRAFFIC:

• 20:48:23 UTC - 192.168.204.151:49359 - 111.121.193.238:443 - encrypted TCP stream
• 20:48:54 UTC - 192.168.204.151:49364 - 5.104.106.42:36569 - encrypted TCP stream
• 20:49:00 UTC - 192.168.204.151:49383 - 173.194.115.114:80 - www.google.com - GET /
• 20:49:00 UTC - 192.168.204.151:49365 - 77.120.103.26:4569 - encrypted TCP stream
• 20:49:30 UTC - 192.168.204.151:49404 - 5.104.106.42:36569 - encrypted TCP stream
• 20:50:02 UTC - 192.168.204.151:49423 - 5.104.106.42:36569 - encrypted TCP stream
• 20:50:35 UTC - 192.168.204.151:49457 - 5.104.106.42:36569 - encrypted TCP stream
• 20:51:07 UTC - 192.168.204.151:49477 - 5.104.106.42:36569 - encrypted TCP stream
• 20:51:39 UTC - 192.168.204.151:49507 - 5.104.106.42:36569 - encrypted TCP stream
• 20:52:11 UTC - 192.168.204.151:49536 - 5.104.106.42:36569 - encrypted TCP stream
• 20:52:43 UTC - 192.168.204.151:49560 - 5.104.106.42:36569 - encrypted TCP stream
• 20:53:16 UTC - 192.168.204.151:49589 - 5.104.106.42:36569 - encrypted TCP stream
• 20:56:28 UTC - 192.168.204.151:49727 - 77.120.103.26:4569 - encrypted TCP stream
• 20:56:45 UTC - 192.168.204.151:49742 - 77.120.103.26:4569 - encrypted TCP stream
• 20:56:50 UTC - 192.168.204.151:49745 - 77.120.103.26:4569 - encrypted TCP stream
• 20:57:43 UTC - 192.168.204.151:49782 - 77.120.103.26:4569 - encrypted TCP stream
• 20:58:18 UTC - 192.168.204.151:49807 - 5.104.106.42:36569 - encrypted TCP stream
• 20:58:50 UTC - 192.168.204.151:49833 - 5.104.106.42:36569 - encrypted TCP stream
• 20:59:22 UTC - 192.168.204.151:49864 - 5.104.106.42:36569 - encrypted TCP stream
• 20:59:26 UTC - 192.168.204.151:49869 - 77.120.103.26:4569 - encrypted TCP stream
• 20:59:54 UTC - 192.168.204.151:49891 - 5.104.106.42:36569 - encrypted TCP stream
• 21:00:02 UTC - 192.168.204.151:49902 - 77.120.103.26:4569 - encrypted TCP stream
• 21:00:14 UTC - 192.168.204.151:49910 - 77.120.103.26:4569 - encrypted TCP stream
• 21:00:27 UTC - 192.168.204.151:49926 - 5.104.106.42:36569 - encrypted TCP stream
• 21:00:39 UTC - 192.168.204.151:49935 - 77.120.103.26:4569 - encrypted TCP stream
• 21:00:49 UTC - 192.168.204.151:49946 - 77.120.103.26:4569 - encrypted TCP stream
• 21:01:06 UTC - 192.168.204.151:49962 - 77.120.103.26:4569 - encrypted TCP stream
• 21:01:24 UTC - 192.168.204.151:49978 - 77.120.103.26:4569 - encrypted TCP stream
• 21:02:05 UTC - 192.168.204.151:50009 - 77.120.103.26:4569 - encrypted TCP stream
• 21:02:19 UTC - 192.168.204.151:50019 - 77.120.103.26:4569 - encrypted TCP stream
• The infected host also generated a large amount of SMTP traffic for pharmacy spam (not included in the pcap).  See the image below for an example.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-08-Nuclear-EK-flash-exploit.swf
File size:  5.5 KB ( 5662 bytes )
MD5 hash:  278fe2398a349ee6f22a02dcdeab66aa
Detection ratio:  2 / 55
First submission:  2014-09-05 07:17:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/38708505ab3b8267f5744e82c86d153654d290b99c4fd18ad96dd78ea5f4197b/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-08-Nuclear-EK-java-exploit.jar
File size:  13.8 KB ( 14138 bytes )
MD5 hash:  84a68bd1ae3f71b91fafc0b6d1b7ad29
Detection ratio:  2 / 55
First submission:  2014-09-08 22:25:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7302ebe585d117f7428fabceaf0e2c8b20e590d16fa82e7237a44417c3ec9ef5/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-08-Nuclear-EK-malware-payload.exe
File size:  148.0 KB ( 151552 bytes )
MD5 hash:  50c5952c549bbfee7d5f34f60b6b000a
Detection ratio:  7 / 55
First submission:  2014-09-08 14:48:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/102bc44f010ad2917e728da4ca0e825512450ed67da22dd2f9ab0b9e6d0bebde/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-08 20:47:54 UTC - 151.236.216.177:80 - 192.168.204.151:49356 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
• 2014-09-08 20:47:55 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-09-08 20:47:55 UTC - 151.236.216.177:80 - 192.168.204.151:49356 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
• 2014-09-08 20:47:56 UTC - 151.236.216.177:80 - 192.168.204.151:49356 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)
• 2014-09-08 20:47:59 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (sid:2017774)
• 2014-09-08 20:48:23 UTC - 111.121.193.238:443 - 192.168.204.151:49359 - ETPRO TROJAN Win32/Tofsee Loader Config Download (sid:2808577)
• 2014-09-08 20:48:35 UTC - 192.168.204.151:49361 - 151.236.216.177:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-09-08 20:48:35 UTC - 151.236.216.177:80 - 192.168.204.151:49361 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)
• 2014-09-08 20:48:36 UTC - 151.236.216.177:80 - 192.168.204.151:49361 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)
• 2014-09-08 20:49:00 UTC - 192.168.204.151:49383 - 173.194.115.114:80 - ET POLICY Internet Explorer 6 in use - Significant Security Risk (sid:2010706)
• 2014-09-08 20:49:00 UTC - 192.168.204.151:49383 - 173.194.115.114:80 - ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check (sid:2808012)
• 2014-09-08 20:49:00 UTC - 192.168.204.151:49383 - 173.194.115.114:80 - ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan (sid:2003394)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-09-08 20:47:50 UTC - 151.236.216.177 - 192.168.204.151 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 2014-09-08 20:47:50 UTC - 151.236.216.177:80 - 192.168.204.151:49356 - [1:31734:1] EXPLOIT-KIT Nuclear exploit kit landing page detection
• 2014-09-08 20:47:55 UTC - 151.236.216.177:80 - 192.168.204.151:49356 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-08 20:47:55 UTC - 151.236.216.177:80 - 192.168.204.151:various - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
• 2014-09-08 20:47:55 UTC - 151.236.216.177:80 - 192.168.204.151:various - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x2)
• 2014-09-08 20:47:59 UTC - 192.168.204.151:49356 - 151.236.216.177:80 - [1:29186:2] EXPLOIT-KIT Nuclear exploit kit outbound connection
• 2014-09-08 20:48:35 UTC - 192.168.204.151:49361 - 151.236.216.177:80 - [1:30219:3] EXPLOIT-KIT Nuclear exploit kit outbound jar request
• 2014-09-08 20:48:35 UTC - 151.236.216.177:80 - 192.168.204.151:49361 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
• 2014-09-08 20:48:36 UTC - 151.236.216.177:80 - 192.168.204.151:49361 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-08 20:48:36 UTC - 151.236.216.177:80 - 192.168.204.151:49361 - [1:25042:3] EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit
• 2014-09-08 20:48:36 UTC - 192.168.204.151:49361 - 151.236.216.177:80 - [1:30220:3] EXPLOIT-KIT Nuclear exploit kit outbound payload request
• 2014-09-08 20:51:41 UTC - 192.168.204.151:various - 5.104.106.42:36569 - [129:12:1] Consecutive TCP small segments exceeding threshold (x2)
• 2014-09-08 20:58:43.009523 192.168.204.151:various - 77.120.103.26:4569 - [129:12:1] Consecutive TCP small segments exceeding threshold (x3)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap(s):  2014-09-08-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-08-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.