2014-12-18 - NUCLEAR EK FROM 178.62.255.107 - WOXEPITYFILLO.CF
ASSOCIATED FILES:
- ZIP of the pcap: 2014-12-18-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2014-12-18-Nuclear-EK-malware.zip
NOTES:
- Found this while browsing through scumware.org.
- The malware payload (an EXE file) is digitally signed.
- This is the first time I've noticed a Silverlight exploit with the new URL patterns for Nuclear EK.
Shown above: search results for the compromised website on scumware.org
CHAIN OF EVENTS
ASSOCIATED DOMAINS:
- 93.190.48.4 - www.nandy.cz - Compromised website
- 195.3.124.165 - d16305.ispservices.at - Redirect
- 178.62.255.107 - woxepityfillo.cf - Nuclear EK
- 176.9.159.141 - allaff.com - Post-infection traffic caused by the malware payload
COMPROMISED WEBSITE:
- 2014-12-18 16:26:21 UTC - www.nandy.cz - GET /
REDIRECT:
- 2014-12-18 16:26:22 UTC - d16305.ispservices.at - GET /a1/l9xdpvy3.php?id=3418433
NUCLEAR EK:
- 2014-12-18 16:26:23 UTC - woxepityfillo.cf - GET /XhEBU0gABgtA.html
- 2014-12-18 16:26:24 UTC - woxepityfillo.cf - GET /AwoVGwxRV0MOVFAaQBlWAAMLTkNfXFBCGVYMBh1GQlFLX0tLVgAGTxEeVA
- 2014-12-18 16:26:25 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtHGgs1HwMj
- 2014-12-18 16:26:26 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtHGiQNIQoIYmZPRQ
- 2014-12-18 16:26:27 UTC - woxepityfillo.cf - GET /AwoVGwxRV0MOVFAaQBlWAAMLTkNfXFBCGVYMBh1GQlFLX0tLVgAGTwQbChMDAA
- 2014-12-18 16:26:28 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtFGgs1HwMj
- 2014-12-18 16:26:29 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtFGiQNIQoIYmZPRQ
- 2014-12-18 16:26:49 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtKGgs1HwMj
- 2014-12-18 16:26:50 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtKGiQNIQoIYmZPRQ
POST-INFECTION TRAFFIC:
- 2014-12-18 16:27:13 UTC - allaff.com - POST /1/backup/rdr.php HTTP/1.0
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):
- 93.190.48.4:80 - 192.168.204.137:50086 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag (sid:2018053)
- 178.62.255.107:80 - 192.168.204.137:50088 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014 (sid:2019315)
- 178.62.255.107:80 - 192.168.204.137:50088 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
- 178.62.255.107:80 - 192.168.204.137:50089 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
- 178.62.255.107:80 - 192.168.204.137:50089 - ET CURRENT_EVENTS Nuclear EK SilverLight Exploit (sid:2019917)
- 192.168.204.137:50091 - 176.9.159.141:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
Sourcefire VRT ruleset from Snort 2.9.7.0 on Security Onion using tcpreplay (not includeing preprocessor rules):
- 93.190.48.4:80 - 192.168.204.137:50086 - POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (sid:32481)
- 178.62.255.107:80 - 192.168.204.137:50088 - FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (sid:32359)
- 192.168.204.137:50091 - 176.9.159.141:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)
PRELIMINARY MALWARE ANALYSIS
FLASH EXPLOIT
File name: 2014-12-18-Nuclear-EK-flash-exploit.swf
File size: 21.3 KB ( 21821 bytes )
MD5 hash: 1d5a40397e716fde5fca0d178acd835e
Detection ratio: 0 / 53
First submission: 2014-12-17 07:58:36 UTC
VirusTotal link: https://www.virustotal.com/en/file/fa695e9e42f621a0e7c49958b6c59042acaa3c68b2e5255309669eee5f85ed5a/analysis/
SILVERLIGHT EXPLOIT
File name: 2014-12-18-Nuclear-EK-Silverlight-exploit.xap
File size: 6.8 KB ( 6926 bytes )
MD5 hash: e06bfa9214d3f7fe7f176d963d5be4b9
Detection ratio: 1 / 55
First submission: 2014-12-18 17:20:52 UTC
VirusTotal link: https://www.virustotal.com/en/file/1e2769893b7142184bdd82d966c3425c8686df2bb61be8b3eb977d7e5a617247/analysis/
MALWARE PAYLOAD
File name: 2014-12-18-Nuclear-EK-malware-payload.exe
File size: 178.1 KB ( 182424 bytes )
MD5 hash: 4f61aa95d7e045a533c5c11702ba17a2
Detection ratio: 7 / 54
First submission: 2014-12-18 00:25:27 UTC
VirusTotal link: https://www.virustotal.com/en/file/35f0dd081d9f70d4d1af6a37bb89a703eb80e104902ca629481915df86f0b4f2/analysis/
Malwr link: https://malwr.com/analysis/YjZiYzA2MTgxNzgxNDg3OGE3NjZhOWI2Y2E4MTU2ZGE/
SCREENSHOTS FROM THE TRAFFIC
Malicious script in page from comrpomised website:
Redirect pointing to the exploit kit:
Nuclear EK landing page:
Nucelar EK sends Flash exploit:
EXE payload, XOR-ed with the ASCII string nSmfD during the traffic (sent 3 times with the same XOR pattern):
Nuclear EK sends Silverlight exploit:
Post-infection HTTP request from the infected VM:
FINAL NOTES
Once again, here are the associated files:
- ZIP of the pcap: 2014-12-18-Nuclear-EK-traffic.pcap.zip
- ZIP of the malware: 2014-12-18-Nuclear-EK-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.