2014-12-18 - NUCLEAR EK FROM 178.62.255.107 - WOXEPITYFILLO.CF

ASSOCIATED FILES:

• ZIP of the pcap:  2014-12-18-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-12-18-Nuclear-EK-malware.zip

 

NOTES:

• Found this while browsing through scumware.org.
• The malware payload (an EXE file) is digitally signed.
• This is the first time I've noticed a Silverlight exploit with the new URL patterns for Nuclear EK.

Shown above:  search results for the compromised website on scumware.org

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 93.190.48.4 - www.nandy.cz - Compromised website
• 195.3.124.165 - d16305.ispservices.at - Redirect
• 178.62.255.107 - woxepityfillo.cf - Nuclear EK
• 176.9.159.141 - allaff.com - Post-infection traffic caused by the malware payload

 

COMPROMISED WEBSITE:

• 2014-12-18 16:26:21 UTC - www.nandy.cz - GET /

 

REDIRECT:

• 2014-12-18 16:26:22 UTC - d16305.ispservices.at - GET /a1/l9xdpvy3.php?id=3418433

 

NUCLEAR EK:

• 2014-12-18 16:26:23 UTC - woxepityfillo.cf - GET /XhEBU0gABgtA.html
• 2014-12-18 16:26:24 UTC - woxepityfillo.cf - GET /AwoVGwxRV0MOVFAaQBlWAAMLTkNfXFBCGVYMBh1GQlFLX0tLVgAGTxEeVA
• 2014-12-18 16:26:25 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtHGgs1HwMj
• 2014-12-18 16:26:26 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtHGiQNIQoIYmZPRQ
• 2014-12-18 16:26:27 UTC - woxepityfillo.cf - GET /AwoVGwxRV0MOVFAaQBlWAAMLTkNfXFBCGVYMBh1GQlFLX0tLVgAGTwQbChMDAA
• 2014-12-18 16:26:28 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtFGgs1HwMj
• 2014-12-18 16:26:29 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtFGiQNIQoIYmZPRQ
• 2014-12-18 16:26:49 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtKGgs1HwMj
• 2014-12-18 16:26:50 UTC - woxepityfillo.cf - GET /ABsJAkgKUBNGGldTDlcbBQYCT0tXXF9EVRsFCgdZQ1ZSSEtcSQUGBwtKGiQNIQoIYmZPRQ

 

POST-INFECTION TRAFFIC:

• 2014-12-18 16:27:13 UTC - allaff.com - POST /1/backup/rdr.php HTTP/1.0

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):

• 93.190.48.4:80 - 192.168.204.137:50086 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag (sid:2018053)
• 178.62.255.107:80 - 192.168.204.137:50088 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014 (sid:2019315)
• 178.62.255.107:80 - 192.168.204.137:50088 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
• 178.62.255.107:80 - 192.168.204.137:50089 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
• 178.62.255.107:80 - 192.168.204.137:50089 - ET CURRENT_EVENTS Nuclear EK SilverLight Exploit (sid:2019917)
• 192.168.204.137:50091 - 176.9.159.141:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)

 

Sourcefire VRT ruleset from Snort 2.9.7.0 on Security Onion using tcpreplay (not includeing preprocessor rules):

• 93.190.48.4:80 - 192.168.204.137:50086 - POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (sid:32481)
• 178.62.255.107:80 - 192.168.204.137:50088 - FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (sid:32359)
• 192.168.204.137:50091 - 176.9.159.141:80 - MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration (sid:27919)

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-12-18-Nuclear-EK-flash-exploit.swf
File size:  21.3 KB ( 21821 bytes )
MD5 hash:  1d5a40397e716fde5fca0d178acd835e
Detection ratio:  0 / 53
First submission:  2014-12-17 07:58:36 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fa695e9e42f621a0e7c49958b6c59042acaa3c68b2e5255309669eee5f85ed5a/analysis/

 

SILVERLIGHT EXPLOIT

File name:  2014-12-18-Nuclear-EK-Silverlight-exploit.xap
File size:  6.8 KB ( 6926 bytes )
MD5 hash:  e06bfa9214d3f7fe7f176d963d5be4b9
Detection ratio:  1 / 55
First submission:  2014-12-18 17:20:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e2769893b7142184bdd82d966c3425c8686df2bb61be8b3eb977d7e5a617247/analysis/

 

MALWARE PAYLOAD

File name:  2014-12-18-Nuclear-EK-malware-payload.exe
File size:  178.1 KB ( 182424 bytes )
MD5 hash:  4f61aa95d7e045a533c5c11702ba17a2
Detection ratio:  7 / 54
First submission:  2014-12-18 00:25:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/35f0dd081d9f70d4d1af6a37bb89a703eb80e104902ca629481915df86f0b4f2/analysis/
Malwr link:  https://malwr.com/analysis/YjZiYzA2MTgxNzgxNDg3OGE3NjZhOWI2Y2E4MTU2ZGE/

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from comrpomised website:

 

Redirect pointing to the exploit kit:

 

Nuclear EK landing page:

 

Nucelar EK sends Flash exploit:

 

EXE payload, XOR-ed with the ASCII string nSmfD during the traffic (sent 3 times with the same XOR pattern):

 

Nuclear EK sends Silverlight exploit:

 

Post-infection HTTP request from the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-12-18-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2014-12-18-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.