2015-01-29 - NUCLEAR EK FROM 178.62.149.46 - CULTUREMERGE.GA - VAWTRAK PAYLOAD

ASSOCIATED FILES:

• ZIP of the pcap:  2015-01-29-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2015-01-29-Nuclear-EK-malware.zip

 

NOTES:

• Volumebass.com is a domain with 8 entries on Threatglass ( link ) that show Sweet Orange EK traffic in the associated pcap files.
• Now, it looks like volumebass.com is now triggering Nuclear EK.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 185.45.192.179 - www.volumebass.com - Compromised website
• 178.62.149.46 - culturemerge.ga - Nuclear EK
• 46.63.127.64 - cpcloc.net - Vawtrak/NeverQuest posting data

 

COMPROMISED WEBSITE AND INFECTION PATH:

• 2015-01-29 17:22:04 UTC - www.volumebass.com - GET /
• 2015-01-29 17:22:11 UTC - www.volumebass.com - GET /submit/style.php

 

NUCLEAR EK:

• 2015-01-29 17:22:12 UTC - culturemerge.ga - GET /AgJVAhoAGFpMUAVU.html
• 2015-01-29 17:22:13 UTC - culturemerge.ga - GET /AU4STwAHU1NMUUlcSlMHVAFRVwJTB1RKVx1XA1ZMAVUFSgRWTwBfVg
• 2015-01-29 17:22:15 UTC - culturemerge.ga - GET /Al8OVhpVUFUBHgYYDh4CUgFWVwVQBFYGHgZIAlRQHlMCVBhQBxoGGDpaIEUi
• 2015-01-29 17:22:17 UTC - culturemerge.ga - GET /Al8OVhpVUFUBHgYYDh4CUgFWVwVQBFYGHgZIAlRQHlMCVBhQBxoGGBpgEF8mYRhdIk9W
• 2015-01-29 17:22:21 UTC - culturemerge.ga - GET /Al8OVhpVUFUBHgYYDh4CUgFWVwVQBFYGHgZIAlRQHlMCVBhQBxoEGDpaIEUi
• 2015-01-29 17:22:22 UTC - culturemerge.ga - GET /Al8OVhpVUFUBHgYYDh4CUgFWVwVQBFYGHgZIAlRQHlMCVBhQBxoEGBpgEF8mYRhdIk9W
• 2015-01-29 17:22:23 UTC - culturemerge.ga - GET /AU4STwAHU1NMUUlcSlMHVAFRVwJTB1RKVx1XA1ZMAVUFSgRWTxVaCBRVEA
• 2015-01-29 17:22:25 UTC - culturemerge.ga - GET /Al8OVhpVUFUBHgYYDh4CUgFWVwVQBFYGHgZIAlRQHlMCVBhQBxoLGDpaIEUi
• 2015-01-29 17:22:28 UTC - culturemerge.ga - GET /Al8OVhpVUFUBHgYYDh4CUgFWVwVQBFYGHgZIAlRQHlMCVBhQBxoLGBpgEF8mYRhdIk9W

 

POST-INFECTION TRAFFIC:

• 2015-01-29 17:22:21 UTC - cpcloc.net - POST /collection/0000004E/00/2C380B4C
• 2015-01-29 17:32:22 UTC - cpcloc.net - POST /collection/0000004E/00/2C380B4C

 

SNORT EVENTS

Significant signature hits from the Emerging Threats and ETPRO rulesets using Suricata on Security Onion:

• 178.62.149.46 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M2 (sid:2020319)
• 178.62.149.46 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
• 178.62.149.46 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2 (sid:2020311)
• 178.62.149.46 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SilverLight M2 (sid:2020317)
• 178.62.149.46 port 80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)
• 46.63.127.64 port 80 - ETPRO TROJAN Vawtrak/NeverQuest Posting Data (sid:2809464)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

• 185.45.192.179 port 80 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
• 178.62.149.46 port 80 - [1:32359:1] FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2015-01-29-Nuclear-EK-flash-exploit.swf
File size:  26.7 KB ( 27346 bytes )
MD5 hash:  fc65c7cf2eeea109946c9b30281b01f8
Detection ratio:  1 / 57
First submission:  2015-01-29 18:05:58 UTC
VirusTotal link:  https://www.virustotal.com/en/file/571dc2a375cdd0d00dc94b37a8e146bc22f29d7b26045dffdbd4c6fd6ce56cf7/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2015-01-29-Nuclear-EK-silverlight-exploit.xap
File size:  16.0 KB ( 16406 bytes )
MD5 hash:  4ae69b684daa63b5091295244cf41fad
Detection ratio:  0 / 36
First submission:  2015-01-29 18:06:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b386acd0f63f0ea9c2ac1d283d94fcd098cd94cb3fba6a7ccb7bb769398741d2/analysis/

 

MALWARE PAYLOAD:

File name:  2015-01-29-Nuclear-EK-malware-payload.exe
File size:  392.0 KB ( 401408 bytes )
MD5 hash:  55b7da1da8ac0f4bc6ec42e9a8b00163
Detection ratio:  7 / 57
First submission:  2015-01-29 18:06:24 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ea0e75faa7c30806ad13300fa9bfe2839323fc47203f9b2dba49ba3580dd40a0/analysis/
Malwr link:  https://malwr.com/analysis/ZTUxNzAwODI2MWY5NDY5OGEwYzc5ZjA2MTY1ZjdmZjI/

 

DROPPED MALWARE (DLL FILE):

File name:  C:\ProgramData\ZedfOzbeb\TugeBucb.fec
File size:  292.0 KB ( 299008 bytes )
MD5 hash:  a31d9d3f6a0eae52c882d5dda534187d
Detection ratio:  3 / 57
First submission:  2015-01-29 18:06:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/993c82a0649786cdf3c4e7e32a27c9dcfd70091564bbd18928d1387e6854faac/analysis/
Malwr link:  https://malwr.com/analysis/MmNkODc5NmMxZDY1NDQ1YWI5MDM0NzhkMGQwYjJjMWI/

 

SCREENSHOTS FROM THE TRAFFIC

Infection path pointing to the exploit kit (EK) landing page:

 

Nuclear EK landing page:

 

Nuclear EK sends Flash exploit:

 

Nuclear EK sent the same malware payload 3 different times.  In each case, it was XOR-ed with the ASCII string XjBpF

 

Nuclear EK sends the Silverlight exploit after the first malware payload:

 

Here's the callback traffic that triggered the ETPRO Vawtrak/NeverQuest signature:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-01-29-Nuclear-EK-traffic.pcap.zip
• ZIP of the malware:  2015-01-29-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.