2014-11-06 - NUCLEAR EK SENDS SILVERLIGHT EXPLOIT WITH .WSF FILE EXTENSION

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT CHAIN:

 

NUCLEAR EK:

 

POST-INFECTION TRAFFIC FROM THE INFECTED VM:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-06-Nuclear-EK-flash-exploit.swf
File size:  31,579 bytes
MD5 hash:  458ecf2e77b0a413f3076d504632f840
Detection ratio:  0 / 54
First submission:  2014-10-29 18:10:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fa9e850b382fbc4211c5c80693d713c778574258d6606db57bc0380f9b3b323f/analysis/

 

PDF EXPLOIT

File name:  2014-11-06-Nuclear-EK-pdf-exploit.pdf
File size:  99,40 bytes
MD5 hash:  d210403a9d63879c0b2acf41b6d82720
Detection ratio:  1 / 53
First submission:  2014-11-06 16:10:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/efefc7e889ee031e402dac2a05e6d4762144497b6007c9ef73628935d766aa4c/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-11-06-Nuclear-EK-silverlight-exploit.xap
File size:  8,064 bytes
MD5 hash:  3ba514d8cf12bbf1a070fbc5933eb5c5
Detection ratio:  4 / 53
First submission:  2014-11-06 16:10:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5bcb20f506ce854eb3191ca87a14c5777cdcb0f96ffec0b68e3535001d3675db/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-06-Nuclear-EK-malware-payload.exe
File size:  139,264 bytes
MD5 hash:  67291715c45c4594b8866e90fbf5c7c4
Detection ratio:  5 / 53
First submission:  2014-11-06 16:11:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/955e4e4a56bf80a30636b0c34673cdd6a889aff6569331a5336e1606e7c1050c/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

HIGHLIGHTS FROM THE TRAFFIC

Malicious iframe in .js file from compromised website:

 

Redirect (gate) pointing to Nuclear EK:

 

Click here to return to the main page.