2014-09-29 - NUCLEAR EK DELIVERS DIGITALLY-SIGNED CRYPTOWALL MALWARE

ASSOCIATED FILES:

• ZIP of the pcap:  2014-09-29-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-09-29-Nuclear-EK-malware.zip

NOTES:

• This traffic is related to: https://barracudalabs.com/2014/09/signed-cryptowall-distributed-via-widespread-malvertising-campaign/
• Also: http://www.networkworld.com/article/2688993/malvertising-campaign-delivers-digitally-signed-cryptowall-ransomware.html
• According to those articles, Zedo-based ads have been pushing Nuclear EK, and it appears this latest CryptoWall campaign is somewhat wide-spread.
• For this CryptoWall example, the BitCoin address for the ransom payment is: 177avVGBEXMcoiHaoQoYj2dn8FVouvPxLd

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 148.251.154.3 - static.rcs7.org - First redirect
• 148.251.154.29 - a.wialto.com - Second redirect
• 89.40.71.156 - unfocodistonet.co7.us - Nuclear EK
• 79.133.219.113 - craspatsp.com and brosersposter.com - CryptoWall checkin domains
• 77.87.78.127 - nihnihnih.com - CryptoWall callback domain

 

ORIGINAL WEBSITE VISITED:

• 13:58:04 UTC - 192.168.204.148:49766 - 216.206.30.10:80 - www.hindustantimes.com - GET /

GOOGLE AND ZEDO AD TRAFFIC:

• 13:58:04 UTC - 192.168.204.148:49769 - 74.125.198.95:80 - ajax.googleapis.com - GET /ajax/libs/jquery/1.7.0/jquery.min.js
• 13:58:04 UTC - 192.168.204.148:49770 - 209.8.115.64:80 - c2.zedo.com - GET /jsc/c2/fo.js
• 13:58:04 UTC - 192.168.204.148:49771 - 74.125.198.155:80 - www.googletagservices.com - GET /tag/js/gpt.js
• 13:58:05 UTC - 192.168.204.148:49772 - 74.125.198.132:80 - tpc.googlesyndication.com - GET /safeframe/1-0-0/html/container.html
• 13:58:05 UTC - 192.168.204.148:49773 - 74.125.198.155:80 - partner.googleadservices.com - GET /gpt/pubads_impl_50.js
• 13:58:05 UTC - 192.168.204.148:49774 - 64.41.197.48:80 - ss1.zedo.com - GET /jsc/fst.js
• 13:58:05 UTC - 192.168.204.148:49775 - 54.241.152.180:80 - z2.zedo.com - GET /client/z2/fo.js
• 13:58:05 UTC - 192.168.204.148:49775 - 54.241.152.180:80 - z2.zedo.com - GET /asw/fm.js?c=623&a=0&f=&n=294&r=29&d=64&adm=&q=&$=&s=0&ct=&z=0.9
  15285474657296&tt=0&tz=-8&pu=http%3A%2F%2Fwww.hindustantimes.com%2F&ru=http%3A%2F%2Fwww.google.com%2Furl&pi=1411999086829&ce=UTF-8
• 13:58:06 UTC - 192.168.204.148:49775 - 54.241.152.180:80 - z2.zedo.com - GET /asw/fmr.js?c=623&a=0&f=&n=294&r=29&d=64&adm=&q=&$=&s=0&ct=&z=0.9
  15285474657296&tt=0&tz=-8&pu=http%3A%2F%2Fwww.hindustantimes.com%2F&ru=http%3A%2F%2Fwww.google.com%2Furl&pi=1411999086829&ce=UTF-8

VERIFIED PORTION OF THE INFECTION CHAIN:

• 13:58:06 UTC - 192.168.204.148:49776 - 148.251.154.3:80 - static.rcs7.org - GET /seo1.php?ds=true&dr=6852409136
• 13:58:11 UTC - 192.168.204.148:49780 - 148.251.154.29:80 - a.wialto.com - GET /akamai/adsone.php?acc=%C6%CC%3F%D5%F0J%00%F7%0Crs%24%CB%
  D4Q%C1B%04%A2%95%FE%ACy%9E&nrk=8627161976

NUCLEAR EK:

• 13:58:12 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /3bd2de07nz6n2e_fa15834.html
• 13:58:16 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.xap
• 13:58:18 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/8
• 13:58:20 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.swf
• 13:58:21 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/7
• 13:58:28 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.pdf
• 13:58:28 UTC - 192.168.204.148:49940 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.htm
• 13:58:46 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/5/x0009070554515d565b010b035100
  53535c0505;1;6
• 13:58:48 UTC - 192.168.204.148:49940 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/5/x0009070554515d565b010b035100
  53535c0505;1;6;1
• 13:58:59 UTC - 192.168.204.148:49959 - 216.206.30.10:80 - www.hindustantimes.com - GET /30abf486nz6n2e/1411999080.jar

POST-INFECTION TRAFFIC:

• 13:58:46 UTC - 192.168.204.148:49955 - 79.133.219.113:80 - craspatsp.com - POST /8ih68ct338w5l
• 13:59:17 UTC - 192.168.204.148:58851 - 192.168.204.2:53 - DNS request for brosersposter.com   [like craspatsp.com, this resolved to 79.133.219.113]
• 13:59:38 UTC - 192.168.204.148:49966 - 77.87.78.127:80 - nihnihnih.com - POST /8ih68ct338w5l
• 14:01:04 UTC - 192.168.204.148:49971 - 77.87.78.127:80 - nihnihnih.com - POST /bwzxweit87tfzy
• 14:02:12 UTC - 192.168.204.148:49985 - 77.87.78.127:80 - nihnihnih.com - POST /795hg4ne5o28l
• 14:01:09 UTC - 192.168.204.148:49972 - 91.236.75.111:443 - encrypted traffic to: kpai7ycr7jxqkilp.torminater.com
• 14:01:30 UTC - 192.168.204.148:various - 94.156.77.213:443 - encrypted traffic to: kpai7ycr7jxqkilp.torminater.com

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-09-29-Nuclear-EK-flash-exploit.swf
File size:  5.7 KB ( 5883 bytes )
MD5 hash:  712a0c8c5c790f1e8e05be255b145954
Detection ratio:  1 / 55
First submission:  2014-09-29 08:27:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/674a2cc433019b7a7e478d5edc31c2f47634b3058b1fe2749b583905b722550d/analysis/

 

PDF EXPLOIT

File name:  2014-09-29-Nuclear-EK-pdf-exploit.pdf
File size:  9.5 KB ( 9754 bytes )
MD5 hash:  e4559cd4344a46db72e51c070996a076
Detection ratio:  1 / 55
First submission:  2014-09-29 17:53:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0aa9bee7f523cc0b918c9ad17f67188851344c02f68afd15e6142d826a8619f9/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-09-29-Nuclear-EK-silverlight-exploit.xap
File size:  8.1 KB ( 8340 bytes )
MD5 hash:  afd3b15390de8aa440e5e676f03d1c89
Detection ratio:  0 / 55
First submission:  2014-09-29 05:35:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c743f60c6277f25c8c829b2beff21f5243a56243cd9385dfc131aabb7c9f3094/analysis/

 

MALWARE PAYLOAD (DIGITALLY-SIGNED CRYPTOWALL):

File name:  2014-09-29-Nuclear-EK-malware-payload.exe
File size:  159.9 KB ( 163696 bytes )
MD5 hash:  dc5c71aef24a5899f63c3f9c15993697
Detection ratio:  1 / 54
First submission:  2014-09-29 13:36:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54ce7a04b71a1bbdfcfd0bf46bd1f138dee5d4554e21192d1f98d0e02694f351/analysis/

 

SNORT EVENTS

Applicable signature hits from the Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-29 13:58:11 UTC - 192.168.204.148:49780 - 148.251.154.29:80 - ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014 (sid:2019194 and 2019195)
• 2014-09-29 13:58:16 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct (sid:2019167)
• 2014-09-29 13:58:16 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
• 2014-09-29 13:58:18 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
• 2014-09-29 13:58:20 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
• 2014-09-29 13:58:28 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (sid:2019210)
• 2014-09-29 13:58:28 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client (sid:2013960)
• 2014-09-29 13:58:28 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
• 2014-09-29 13:58:46 UTC - 192.168.204.148:49955 - 79.133.219.113:80 - ET TROJAN CryptoWall Check-in (sid:2018452)
• 2014-09-29 13:58:59 UTC - 192.168.204.148:49959 - 216.206.30.10:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-09-29 14:01:09 UTC - 192.168.204.148:57441 - 192.168.204.2:53 - ET TROJAN Likely CryptoWall .onion Proxy DNS lookup (sid:2018609)
• 2014-09-29 14:01:37 UTC - 192.168.204.148:49977 - 94.156.77.213:443 - ET TROJAN Likely CryptoWall .onion Proxy domain in SNI (sid:2018610)

Applicable Sourcefire VRT signature hits from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

• 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
• 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x3)
• 2014-09-29 13:58:19 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x6)
• 2014-09-29 13:58:19 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-09-29 13:58:22 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:11192:16] FILE-EXECUTABLE download of executable content (x3)
• 2014-09-29 13:58:22 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
• 2014-09-29 13:58:28 UTC - 54.213.60.124:80 - 192.168.204.148:49923 - [1:3679:12] INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution
• 2014-09-29 13:58:46 UTC - 192.168.204.148:49955 - 79.133.219.113:80 - [1:31223:1] MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt
• 2014-09-29 13:58:48 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-29 13:58:48 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
• 2014-09-29 13:58:48 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-09-29 13:58:49 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x2)
• 2014-09-29 13:58:49 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
• 2014-09-29 13:59:38 UTC - 192.168.204.148:49966 - 77.87.78.127:80 - [1:31223:1] MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt
• 2014-09-29 14:01:04 UTC - 192.168.204.148:49971 - 77.87.78.127:80 - [1:30047:1] MALWARE-CNC Win.Trojan.Crowti variant outbound connection

 

HIGHLIGHTS FROM THE TRAFFIC

Firs redirect with the original referer [doesn't indicate all the add traffic between the original referer and this URL]:

 

Second redirect to Nuclear EK:

 

CryptoWall in action:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-09-29-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-09-29-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.