2014-09-29 - NUCLEAR EK DELIVERS DIGITALLY-SIGNED CRYPTOWALL MALWARE
ASSOCIATED FILES:
- ZIP of the pcap: 2014-09-29-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2014-09-29-Nuclear-EK-malware.zip
NOTES:
- This traffic is related to: https://barracudalabs.com/2014/09/signed-cryptowall-distributed-via-widespread-malvertising-campaign/
- Also: http://www.networkworld.com/article/2688993/malvertising-campaign-delivers-digitally-signed-cryptowall-ransomware.html
- According to those articles, Zedo-based ads have been pushing Nuclear EK, and it appears this latest CryptoWall campaign is somewhat wide-spread.
- For this CryptoWall example, the BitCoin address for the ransom payment is: 177avVGBEXMcoiHaoQoYj2dn8FVouvPxLd
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 148.251.154.3 - static.rcs7.org - First redirect
- 148.251.154.29 - a.wialto.com - Second redirect
- 89.40.71.156 - unfocodistonet.co7.us - Nuclear EK
- 79.133.219.113 - craspatsp.com and brosersposter.com - CryptoWall checkin domains
- 77.87.78.127 - nihnihnih.com - CryptoWall callback domain
ORIGINAL WEBSITE VISITED:
- 13:58:04 UTC - 192.168.204.148:49766 - 216.206.30.10:80 - www.hindustantimes.com - GET /
GOOGLE AND ZEDO AD TRAFFIC:
- 13:58:04 UTC - 192.168.204.148:49769 - 74.125.198.95:80 - ajax.googleapis.com - GET /ajax/libs/jquery/1.7.0/jquery.min.js
- 13:58:04 UTC - 192.168.204.148:49770 - 209.8.115.64:80 - c2.zedo.com - GET /jsc/c2/fo.js
- 13:58:04 UTC - 192.168.204.148:49771 - 74.125.198.155:80 - www.googletagservices.com - GET /tag/js/gpt.js
- 13:58:05 UTC - 192.168.204.148:49772 - 74.125.198.132:80 - tpc.googlesyndication.com - GET /safeframe/1-0-0/html/container.html
- 13:58:05 UTC - 192.168.204.148:49773 - 74.125.198.155:80 - partner.googleadservices.com - GET /gpt/pubads_impl_50.js
- 13:58:05 UTC - 192.168.204.148:49774 - 64.41.197.48:80 - ss1.zedo.com - GET /jsc/fst.js
- 13:58:05 UTC - 192.168.204.148:49775 - 54.241.152.180:80 - z2.zedo.com - GET /client/z2/fo.js
- 13:58:05 UTC - 192.168.204.148:49775 - 54.241.152.180:80 - z2.zedo.com - GET /asw/fm.js?c=623&a=0&f=&n=294&r=29&d=64&adm=&q=&$=&s=0&ct=&z=0.9
15285474657296&tt=0&tz=-8&pu=http%3A%2F%2Fwww.hindustantimes.com%2F&ru=http%3A%2F%2Fwww.google.com%2Furl&pi=1411999086829&ce=UTF-8 - 13:58:06 UTC - 192.168.204.148:49775 - 54.241.152.180:80 - z2.zedo.com - GET /asw/fmr.js?c=623&a=0&f=&n=294&r=29&d=64&adm=&q=&$=&s=0&ct=&z=0.9
15285474657296&tt=0&tz=-8&pu=http%3A%2F%2Fwww.hindustantimes.com%2F&ru=http%3A%2F%2Fwww.google.com%2Furl&pi=1411999086829&ce=UTF-8
VERIFIED PORTION OF THE INFECTION CHAIN:
- 13:58:06 UTC - 192.168.204.148:49776 - 148.251.154.3:80 - static.rcs7.org - GET /seo1.php?ds=true&dr=6852409136
- 13:58:11 UTC - 192.168.204.148:49780 - 148.251.154.29:80 - a.wialto.com - GET /akamai/adsone.php?acc=%C6%CC%3F%D5%F0J%00%F7%0Crs%24%CB%
D4Q%C1B%04%A2%95%FE%ACy%9E&nrk=8627161976
NUCLEAR EK:
- 13:58:12 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /3bd2de07nz6n2e_fa15834.html
- 13:58:16 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.xap
- 13:58:18 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/8
- 13:58:20 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.swf
- 13:58:21 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/7
- 13:58:28 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.pdf
- 13:58:28 UTC - 192.168.204.148:49940 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /30abf486nz6n2e/1411999080.htm
- 13:58:46 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/5/x0009070554515d565b010b035100
53535c0505;1;6 - 13:58:48 UTC - 192.168.204.148:49940 - 89.40.71.156:80 - unfocodistonet.co7.us - GET /f/30abf486nz6n2e/1411999080/5/x0009070554515d565b010b035100
53535c0505;1;6;1 - 13:58:59 UTC - 192.168.204.148:49959 - 216.206.30.10:80 - www.hindustantimes.com - GET /30abf486nz6n2e/1411999080.jar
POST-INFECTION TRAFFIC:
- 13:58:46 UTC - 192.168.204.148:49955 - 79.133.219.113:80 - craspatsp.com - POST /8ih68ct338w5l
- 13:59:17 UTC - 192.168.204.148:58851 - 192.168.204.2:53 - DNS request for brosersposter.com [like craspatsp.com, this resolved to 79.133.219.113]
- 13:59:38 UTC - 192.168.204.148:49966 - 77.87.78.127:80 - nihnihnih.com - POST /8ih68ct338w5l
- 14:01:04 UTC - 192.168.204.148:49971 - 77.87.78.127:80 - nihnihnih.com - POST /bwzxweit87tfzy
- 14:02:12 UTC - 192.168.204.148:49985 - 77.87.78.127:80 - nihnihnih.com - POST /795hg4ne5o28l
- 14:01:09 UTC - 192.168.204.148:49972 - 91.236.75.111:443 - encrypted traffic to: kpai7ycr7jxqkilp.torminater.com
- 14:01:30 UTC - 192.168.204.148:various - 94.156.77.213:443 - encrypted traffic to: kpai7ycr7jxqkilp.torminater.com
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT
File name: 2014-09-29-Nuclear-EK-flash-exploit.swf
File size: 5.7 KB ( 5883 bytes )
MD5 hash: 712a0c8c5c790f1e8e05be255b145954
Detection ratio: 1 / 55
First submission: 2014-09-29 08:27:52 UTC
VirusTotal link: https://www.virustotal.com/en/file/674a2cc433019b7a7e478d5edc31c2f47634b3058b1fe2749b583905b722550d/analysis/
PDF EXPLOIT
File name: 2014-09-29-Nuclear-EK-pdf-exploit.pdf
File size: 9.5 KB ( 9754 bytes )
MD5 hash: e4559cd4344a46db72e51c070996a076
Detection ratio: 1 / 55
First submission: 2014-09-29 17:53:59 UTC
VirusTotal link: https://www.virustotal.com/en/file/0aa9bee7f523cc0b918c9ad17f67188851344c02f68afd15e6142d826a8619f9/analysis/
SILVERLIGHT EXPLOIT
File name: 2014-09-29-Nuclear-EK-silverlight-exploit.xap
File size: 8.1 KB ( 8340 bytes )
MD5 hash: afd3b15390de8aa440e5e676f03d1c89
Detection ratio: 0 / 55
First submission: 2014-09-29 05:35:30 UTC
VirusTotal link: https://www.virustotal.com/en/file/c743f60c6277f25c8c829b2beff21f5243a56243cd9385dfc131aabb7c9f3094/analysis/
MALWARE PAYLOAD (DIGITALLY-SIGNED CRYPTOWALL):
File name: 2014-09-29-Nuclear-EK-malware-payload.exe
File size: 159.9 KB ( 163696 bytes )
MD5 hash: dc5c71aef24a5899f63c3f9c15993697
Detection ratio: 1 / 54
First submission: 2014-09-29 13:36:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/54ce7a04b71a1bbdfcfd0bf46bd1f138dee5d4554e21192d1f98d0e02694f351/analysis/
SNORT EVENTS
Applicable signature hits from the Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-09-29 13:58:11 UTC - 192.168.204.148:49780 - 148.251.154.29:80 - ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014 (sid:2019194 and 2019195)
- 2014-09-29 13:58:16 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct (sid:2019167)
- 2014-09-29 13:58:16 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK SilverLight Exploit (sid:2018402)
- 2014-09-29 13:58:18 UTC - 192.168.204.148:49789 - 89.40.71.156:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
- 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
- 2014-09-29 13:58:20 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
- 2014-09-29 13:58:28 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (sid:2019210)
- 2014-09-29 13:58:28 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client (sid:2013960)
- 2014-09-29 13:58:28 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
- 2014-09-29 13:58:46 UTC - 192.168.204.148:49955 - 79.133.219.113:80 - ET TROJAN CryptoWall Check-in (sid:2018452)
- 2014-09-29 13:58:59 UTC - 192.168.204.148:49959 - 216.206.30.10:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
- 2014-09-29 14:01:09 UTC - 192.168.204.148:57441 - 192.168.204.2:53 - ET TROJAN Likely CryptoWall .onion Proxy DNS lookup (sid:2018609)
- 2014-09-29 14:01:37 UTC - 192.168.204.148:49977 - 94.156.77.213:443 - ET TROJAN Likely CryptoWall .onion Proxy domain in SNI (sid:2018610)
Applicable Sourcefire VRT signature hits from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):
- 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
- 2014-09-29 13:58:18 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x3)
- 2014-09-29 13:58:19 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x6)
- 2014-09-29 13:58:19 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
- 2014-09-29 13:58:22 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:11192:16] FILE-EXECUTABLE download of executable content (x3)
- 2014-09-29 13:58:22 UTC - 89.40.71.156:80 - 192.168.204.148:49789 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
- 2014-09-29 13:58:28 UTC - 54.213.60.124:80 - 192.168.204.148:49923 - [1:3679:12] INDICATOR-OBFUSCATION Multiple Products IFRAME src javascript code execution
- 2014-09-29 13:58:46 UTC - 192.168.204.148:49955 - 79.133.219.113:80 - [1:31223:1] MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt
- 2014-09-29 13:58:48 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-09-29 13:58:48 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
- 2014-09-29 13:58:48 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
- 2014-09-29 13:58:49 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x2)
- 2014-09-29 13:58:49 UTC - 89.40.71.156:80 - 192.168.204.148:49940 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected
- 2014-09-29 13:59:38 UTC - 192.168.204.148:49966 - 77.87.78.127:80 - [1:31223:1] MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection attempt
- 2014-09-29 14:01:04 UTC - 192.168.204.148:49971 - 77.87.78.127:80 - [1:30047:1] MALWARE-CNC Win.Trojan.Crowti variant outbound connection
HIGHLIGHTS FROM THE TRAFFIC
Firs redirect with the original referer [doesn't indicate all the add traffic between the original referer and this URL]:
Second redirect to Nuclear EK:
CryptoWall in action:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-09-29-Nuclear-EK-traffic.pcap.zip
- ZIP file of the malware: 2014-09-29-Nuclear-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.