2014-12-10 - WINDIGO GROUP USES NUCLEAR EK FROM 128.199.48.110 - SEVENTHNAMED.CO.VU
ASSOCIATED FILES:
- ZIP of the pcap: 2014-12-10-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2014-12-10-Nuclear-EK-malware.zip
NOTES:
- For more information about Operation Windigo, ESET published a report avaialable here.
- As noted by Kafeine, the Windigo group started serving Rig EK back in July (link).
- This week, Kafeine found Windigo had moved from Rig EK to Nuclear EK, and the malware payload was being XOR-ed.
- Yesterday, I noticed Threatglass had an entry with Nuclear EK traffic caused by Operation Windigo: http://threatglass.com/malicious_urls/firstliving-org
- Today, I generated an another infection chain. Let's look at the Nuclear EK traffic from this example.
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 67.222.18.12 - www.primehealthchannel.com - Compromised website
- 107.6.164.18 - byxswk7yqg0plq1u59l9npl.parkmedical.com.au - Cushion redirect (first domain)
- 107.6.164.18 - byxswk7yqg0plq1u59l9npl1177542af60f24b98053e1eb7a699643c.parkmedical.com.au - Cushion redirect (second domain)
- 128.199.48.110 - seventhnamed.co.vu - Nuclear EK
COMPROMISED WEBSITE:
- 16:47:47 UTC - www.primehealthchannel.com - GET /
CUSHION REDIRECT:
- 16:47:48 UTC - byxswk7yqg0plq1u59l9npl.parkmedical.com.au - GET /index.php?i=aHJua3Z4PXhxJnRpbWU9MTQxMjEwMTYxMjI0MzE0MjA1OSZzcmM9MT
c3JnN1cmw9d3d3LnByaW1laGVhbHRoY2hhbm5lbC5jb20mc3BvcnQ9ODAma2V5PTMwM0I5M0MwJnN1cmk9Lw== - 16:47:49 UTC - byxswk7yqg0plq1u59l9npl1177542af60f24b98053e1eb7a699643c.parkmedical.com.au - GET /index2.php
NUCLEAR EK:
- 16:47:51 UTC - seventhnamed.co.vu - GET /H0FRFEgDAwtD.html
- 16:47:53 UTC - seventhnamed.co.vu - GET /AwoVG00BBwQOV1UaQxlWAAMLRUFWVVRCGVIaBAFZQVZLV0pWG1JeAQ
- 16:47:54 UTC - seventhnamed.co.vu - GET /ABsJAkhLAEMBGlRWDlQbBQYCT0BVVVZAVRsBHAVFXFVVSENdVEgHTwMfFjEwJi0eWQ
- 16:47:55 UTC - seventhnamed.co.vu - GET /ABsJAkhLAEMBGlRWDlQbBQYCT0BVVVZAVRsBHAVFXFVVSENdVEgHTzsWCBcgIywbBg
- 16:47:56 UTC - seventhnamed.co.vu - GET /AwoVG00BBwQOV1UaQxlWAAMLRUFWVVRCGVIaBAFZQVZLV0pWG0dbXwEXFA
- 16:47:58 UTC - seventhnamed.co.vu - GET /ABsJAkhLAEMBGlRWDlQbBQYCT0BVVVZAVRsBHAVFXFVVSENdVEgFTwMfFjEwJi0eWQ
- 16:47:59 UTC - seventhnamed.co.vu - GET /ABsJAkhLAEMBGlRWDlQbBQYCT0BVVVZAVRsBHAVFXFVVSENdVEgFTzsWCBcgIywbBg
- 16:48:00 UTC - seventhnamed.co.vu - GET /ABsJAkhLAEMBGlRWDlQbBQYCT0BVVVZAVRsBHAVFXFVVSENdVEgKTwMfFjEwJi0eWQ
- 16:48:02 UTC - seventhnamed.co.vu - GET /ABsJAkhLAEMBGlRWDlQbBQYCT0BVVVZAVRsBHAVFXFVVSENdVEgKTzsWCBcgIywbBg
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion using Suricata (not including ET INFO or ET POLICY rules):
- 2014-12-10 16:47:48 UTC - 192.168.204.137:49170 - 107.6.164.18:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
- 2014-12-10 16:47:51 UTC - 128.199.48.110:80 - 192.168.204.137:49172 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014 (sid:2019315)
- 2014-12-10 16:47:53 UTC - 128.199.48.110:80 - 192.168.204.137:49173 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
- 2014-12-10 16:47:58 UTC - 128.199.48.110:80 - 192.168.204.137:49173 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
Sourcefire VRT ruleset from Snort 2.9.7.0 on Security Onion using tcpreplay:
- 2014-12-10 16:47:53 UTC - 128.199.48.110:80 - 192.168.204.137:49173 - [1:32359:1] FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT
File name: 2014-12-10-Nuclear-EK-flash-exploit.swf
File size: 21.8 KB ( 22326 bytes )
MD5 hash: 7fd849a20fa8e0a647f4138c3ce81de5
Detection ratio: 0 / 56
First submission: 2014-12-08 12:40:53 UTC
VirusTotal link: https://www.virustotal.com/en/file/60c0a25df731aa8aa11713a0341eab2943ca07fa8ec9de43376b9f7b1a17045e/analysis/
SILVERLIGHT EXPLOIT
File name: 2014-12-10-Nuclear-EK-silverlight-exploit.xap
File size: 2014-12-10 18:31:15 UTC
MD5 hash: 87d140b1b68cbe2b46a4a355fbd87a09
Detection ratio: 1 / 56
First submission: 6.8 KB ( 6924 bytes )
VirusTotal link: https://www.virustotal.com/en/file/a0b5876419025568915bfea24d22163169f4b3634935edafd998c26d57900055/analysis/
MALWARE PAYLOAD
File name: 2014-12-10-Nuclear-EK-malware-payload.exe
File size: 82.9 KB ( 84848 bytes )
MD5 hash: 9f82062c56437a4b0ec896fa71950085
Detection ratio: 5 / 56
First submission: 2014-12-10 18:31:27 UTC
VirusTotal link: https://www.virustotal.com/en/file/5a9a5b66cef38d10c78ccef20eb23621b47c196f9109fbac304ff00ab655b3c6/analysis/
Malwr link: https://malwr.com/analysis/NDU0YjdhY2Y5ZThmNDBkMGI5OGQ4ZDM4Mzk0ZmU3Yjg/
SCREENSHOTS FROM THE TRAFFIC
Nuclear EK landing page:
Nuclear EK sends Flash exploit:
Nuclear EK sends Silverlight exploit:
EXE payload sent three times, after successful exploits. Each time, the payload was XOR-ed with the ASCII string tmpTVTHym:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-12-10-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2014-12-10-Nuclear-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.