2014-12-25 - NUCLEAR EK FROM WINDIGO GROUP - 67.215.1.162

ASSOCIATED FILES:

• ZIP of the pcap:  2014-12-25-Nuclear-EK-from-Windigo-group-traffic.pcap.zip
• ZIP of the malware:  2014-12-25-Nuclear-EK-from-Windigo-group-malware.zip

 

NOTES:

• Working during the holidays and saw an Operation Windigo-style redirect generated by www.stars-hk.com.
• I infected a vulnerable VM by viewing www.stars-hk.com through a Google search.
• For more information about Operation Windigo, ESET published a report avaialable here.

Shown above:  Adultfriendfinder appeared after clicking on Google search result for www.stars-hk.com.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 59.188.3.145 - www.stars-hk.com - Comrpomised website
• 67.215.1.162 - v3n3j7hjo9n9azf0tie0hwx.alicisemsiye.com - Redirect
• 67.215.1.162 - v3n3j7hjo9n9azf0tie0hwx2199542d41c61787068de91c848581d49.alicisemsiye.com - Redirect
• 67.215.1.162 - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - Nuclear EK

 

TRAFFIC:

• 21:02:19 UTC - www.stars-hk.com - GET /
• 21:02:21 UTC - v3n3j7hjo9n9azf0tie0hwx.alicisemsiye.com - GET /index.php?m=Yndta3Z4ZT16amR4a3JibWomdGltZT0xNDEyMjUyMDQ3MjI1NzcxMzIzOSZzcm
  M9MTk5JnN1cmw9d3d3LnN0YXJzLWhrLmNvbSZzcG9ydD04MCZrZXk9RTU4MUIyRUImc3VyaT0v
• 21:02:23 UTC - v3n3j7hjo9n9azf0tie0hwx2199542d41c61787068de91c848581d49.alicisemsiye.com - GET /get_gift.php

 

NUCLEAR EK:

• 21:02:26 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /H0FXBkgDT0U.html
• 21:02:29 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /AwoVG00BARYOVxlUDlRTBQsGQ0NVV1YOVFcAHAFFQEhUUkdLVQQCTxEeVA
• 21:02:30 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtHGg4gPh8z
• 21:02:35 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtHGg8_AgYJe0ZPRQ
• 21:02:36 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /AwoVG00BARYOVxlUDlRTBQsGQ0NVV1YOVFcAHAFFQEhUUkdLVQQCTwQbChMDAA
• 21:02:38 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtKGg4gPh8z
• 21:02:42 UTC - gibdbnfgy8t3hglj5xzll7x.alicisemsiye.com - GET /ABsJAkhLAEUTGlQaQBlWAAMKQkZXVlRCGVYEBh1FQFRLV0ZQSQYCAwtKGg8_AgYJe0ZPRQ

 

REDIRECT AFTER THE INFECTION TO ADULTFRIENDFINDER:

• 21:02:46 UTC - bzwyns6jjb3gbhlg7qlyxmp.escortbayancix.com - GET /get_ads.php?yy=1&aid=2&atr=exts&src=199
• 21:02:48 UTC - adultfriendfinder.com - GET /go/p1011105.subexts
• 21:02:49 UTC - adultfriendfinder.com - GET /go/page/landing_page_68?nid=14&layout=qna&pid=p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1
• 21:02:51 UTC - graphics.pop6.com - GET /javascript/live_cd/popunder_script-1400195675.js
• 21:02:51 UTC - graphics.pop6.com - GET /images/ffadult/css/header.css
• 21:02:51 UTC - graphics.pop6.com - GET /css/live_cd/ffadult/chinese/0/global_facelift-1414007370.css
  [and so on...]

 

MALWARE

• 2014-12-25-Nuclear-EK-flash-exploit.swf  -  Virus Total link
• 2014-12-25-Nuclear-EK-silverlight-exploit.xap  -  Virus Total link
• 2014-12-25-Nuclear-EK-payload-from-Windigo-group.exe (Glupteba)  -  Virus Total link  -  Malwr link

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2014-12-25-Nuclear-EK-from-Windigo-group-traffic.pcap.zip
• ZIP of the malware:  2014-12-25-Nuclear-EK-from-Windigo-group-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.