2014-11-06 - NUCLEAR EK SENDS SILVERLIGHT EXPLOIT WITH .WSF FILE EXTENSION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-11-06-Nuclear-EK-traffic.pcap.zip 823.3 kB (823,316 bytes)
- 2014-11-06-Nuclear-EK-malware.zip 124.7 kB (124,663 bytes)
NOTES:
- The last time I looked into Nuclear EK on 2014-09-29, the Silverlight exploit was sent with the proper file extension (.xap).
- Today, when I checked, it was sent as a Flash file, using .swf as the file extension.
- Also, I'm disappointed to see a Flash exploit reported to Virus Total a week ago still showing a zero detection rate when I re-submitted it today. Come on, anti-virus vendors... Give us some indication you know this stuff is out there!
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 182.160.157[.]199 - www.magmedia.com[.]au - Compromised website
- 108.61.196[.]84 - pixeltouchstudios[.]tk - Redirect (gate)
- 173.244.195[.]17 - grannityrektonaver[.]co[.]vu - Nuclear EK
COMPROMISED WEBSITE AND REDIRECT CHAIN:
- 2014-11-06 15:02:35 UTC - 182.160.157[.]199:80 - www.magmedia[.]com[.]au - GET /
- 2014-11-06 15:02:37 UTC - 182.160.157[.]199:80 - www.magmedia[.]com[.]au - GET /wp-includes/js/jquery/jquery.js?ver=1.7.2
- 2014-11-06 15:02:38 UTC - 108.61.196[.]84:80 - pixeltouchstudios[.]tk - GET /seedadmin17.html
NUCLEAR EK:
- 2014-11-06 15:02:39 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /15c0b14drr9f_1_08282d03fb0251bbd75ff6dc6e317bd9.html
- 2014-11-06 15:02:42 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d76d9b2rr9f/1415286120
- 2014-11-06 15:02:43 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d766423rr9f/1415286120
- 2014-11-06 15:02:44 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d76rr9f/1415286120/5/x00809070554515d565b010b0
3510053535c0505;1;6 - 2014-11-06 15:02:45 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d76rr9f/1415286120/5/x00809070554515d565b010b0
3510053535c0505;1;6;1 - 2014-11-06 15:03:22 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d76rr9f/1415286120/7
- 2014-11-06 15:03:23 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d761709rr9f/1415286120
- 2014-11-06 15:03:28 UTC - 173.244.195[.]17:80 - grannityrektonaver[.]co[.]vu - GET /00015d76rr9f/1415286120/8
POST-INFECTION TRAFFIC FROM THE INFECTED VM:
- 2014-11-06 15:06:21 UTC - 134.170.188[.]221:80 - TCP connection to microsoft[.]com, but no data sent
- 2014-11-06 15:06:21 UTC - 207.46.163[.]138:25 - TCP connection to microsoft-com.mailprotection.outlook[.]com, but no data sent
- 2014-11-06 15:06:24 UTC - 111.121.193[.]238:443 - blocked by Malwarebytes (forgot to disable this protection)
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT
File name: 2014-11-06-Nuclear-EK-flash-exploit.swf
File size: 31,579 bytes
MD5 hash: 458ecf2e77b0a413f3076d504632f840
Detection ratio: 0 / 54
First submission: 2014-10-29 18:10:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/fa9e850b382fbc4211c5c80693d713c778574258d6606db57bc0380f9b3b323f/analysis/
PDF EXPLOIT
File name: 2014-11-06-Nuclear-EK-pdf-exploit.pdf
File size: 99,40 bytes
MD5 hash: d210403a9d63879c0b2acf41b6d82720
Detection ratio: 1 / 53
First submission: 2014-11-06 16:10:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/efefc7e889ee031e402dac2a05e6d4762144497b6007c9ef73628935d766aa4c/analysis/
SILVERLIGHT EXPLOIT
File name: 2014-11-06-Nuclear-EK-silverlight-exploit.xap
File size: 8,064 bytes
MD5 hash: 3ba514d8cf12bbf1a070fbc5933eb5c5
Detection ratio: 4 / 53
First submission: 2014-11-06 16:10:41 UTC
VirusTotal link: https://www.virustotal.com/en/file/5bcb20f506ce854eb3191ca87a14c5777cdcb0f96ffec0b68e3535001d3675db/analysis/
MALWARE PAYLOAD
File name: 2014-11-06-Nuclear-EK-malware-payload.exe
File size: 139,264 bytes
MD5 hash: 67291715c45c4594b8866e90fbf5c7c4
Detection ratio: 5 / 53
First submission: 2014-11-06 16:11:16 UTC
VirusTotal link: https://www.virustotal.com/en/file/955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c/analysis/
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):
- 2014-11-06 15:02:39 UTC - 173.244.195[.]17:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014 (sid:2019315)
- 2014-11-06 15:02:42 UTC - 173.244.195[.]17:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
- 2014-11-06 15:02:43 UTC - 173.244.195[.]17:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (sid:2019210)
- 2014-11-06 15:02:43 UTC - 173.244.195[.]17:80 - ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (sid:2801334)
- 2014-11-06 15:02:45 UTC - 173.244.195[.]17:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014 (sid:2019359)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:
- 2014-11-06 15:02:45 UTC - 173.244.195[.]17:80 - [1:11192:16] FILE-EXECUTABLE download of executable content (x3)
- 2014-11-06 15:02:45 UTC - 173.244.195[.]17:80 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
- 2014-11-06 15:02:45 UTC - 173.244.195[.]17:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x3)
- 2014-11-06 15:03:28 UTC - 173.244.195[.]17:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
- 2014-11-06 15:03:28 UTC - 173.244.195[.]17:80 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection
- 2014-11-06 15:03:28 UTC - 173.244.195[.]17:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
HIGHLIGHTS FROM THE TRAFFIC
Malicious iframe in .js file from compromised website:
Redirect (gate) pointing to Nuclear EK:
Click here to return to the main page.