2015-05-22 - FIESTA EK FROM BIZCN ACTOR

PCAPS AND MALWARE:

• ZIP of the pcaps:  2015-05-22-Fiesta-EK-pcaps.zip
• ZIP of the malware:  2015-05-22-Fiesta-EK-artifacts-malware.zip

 

NOTES:

This is a follow-up on two Internet Storm Center (ISC) diaries I wrote during the past month:

• 2015-04-28 - https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
• 2015-05-04 - https://isc.sans.edu/diary/Traffic+pattern+change+noted+in+Fiesta+exploit+kit/19655

Fiesta EK changed traffic patterns as early as 2015-05-11, about a week after the 2015-05-04 ISC diary.  The BizCN actor discussed in the 2015-04-28 ISC diary is still active.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 136.243.224.10 port 80 - fogelicy.org - BizCN gate currently tied to forum.thegradcafe.com
• 136.243.224.10 port 80 - varadank.org - BizCN gate currently tied to www.visajourney.com
• 136.243.227.9 port 80 - muskiert.org - BizCN gate currently tied to hacknmod.com
• 136.243.227.9 port 80 - woodicani.pw - BizCN gate currently tied to forums.pinstack.com
• 205.234.186.115 - newblueold.eu - Fiesta EK on 2015-05-21
• 205.234.186.115 - liveblueold.eu - Fiesta EK on 2015-05-22

 

FIESTA EK AFTER VISAJOURNEY.COM:

• 2015-05-21 21:15:29 UTC - 207.58.140.165 - www.visajourney.com - GET /
• 2015-05-21 21:15:31 UTC - 136.243.224.10 - varadank.org - GET /i/yl-kmiz-P_W-/_zSGmNK-HVZw.php?Q1v_CHWRa=Geh78v5tIf--7Y6dazUaP52zH3Rbeie5-1i4e
• 2015-05-21 21:15:50 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/_jViI3fCriMpwMsCWIWK
• 2015-05-21 21:15:52 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/16IClGk-khX1ec-VDiIF_sYX6cs7aw5TvVr0A0wzR.112202.228
• 2015-05-21 21:15:53 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/FvaNCAHKCgzLBMevSrG-cZHIGqKRsWcy8xwRdyc98XKyc-
• 2015-05-21 21:15:53 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/cwM5R8xyd32VzroVhbPHUF7lYAzVSQOw5YJcb8TskUt.910
• 2015-05-21 21:15:53 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/bvVyqeXzmPx2S5V-3OiYiY-RFwVtt7G5W0VXcW3NG5.4060310
• 2015-05-21 21:15:54 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/bofJooAheSMu9qcNV7HRitKYyzGsPDG5dfceAJId9M
• 2015-05-21 21:15:55 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/FJBfGibzM4Vltvr69rV-fBDI08KR0zcSCnzUKyc8v-Kp8Q
• 2015-05-21 21:15:58 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/bofJooAheSMu9qcNV7HRitKYyzGsPDG5dfceAJId9M.1
• 2015-05-21 21:15:59 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/FJBfGibzM4Vltvr69rV-fBDI08KR0zcSCnzUKyc8v-Kp8Q.1
• 2015-05-21 21:16:00 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/DTu0g3U4Io7h47C5GIsBHYVjKYGLGCHQuN6fV3AdKSgE
• 2015-05-21 21:16:05 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/DTu0g3U4Io7h47C5GIsBHYVjKYGLGCHQuN6fV3AdKSgE.1
• 2015-05-21 21:16:10 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/4d_bQRlITpzzSC3SGUFQH-g5K-JLFJQOWYwUV9AXlXtV
• 2015-05-21 21:16:14 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/4d_bQRlITpzzSC3SGUFQH-g5K-JLFJQOWYwUV9AXlXtV.1
• 2015-05-21 21:16:15 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/5JmorHe2cFIPxHu0eVhvZiRbqK-XzcX81WhdUVesKsbqF
• 2015-05-21 21:16:16 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/DPIqkyUuGwNlrhDecRPHiYV_lhX6zyP7uNLhVegssYyt.1
• 2015-05-21 21:16:20 UTC - 205.234.186.115 - newblueold.eu - GET /bhxgu6tw/DPIqkyUuGwNlrhDecRPHiYV_lhX6zyP7uNLhVegssYyt.1.1

 

FIESTA EK AFTER FORUMS.PINSTACK.COM:

• 2015-05-22 15:08:34 UTC - 216.18.216.78 - forums.pinstack.com - GET /
• 2015-05-22 15:08:35 UTC - 136.243.227.9 - woodicani.pw - GET /uHxivpUgIh--XQ_OrszK-tN/XzQrnktU_H_TLVw-_-WKpNP/uK-ir-gJSjyW_-R_m/qzY-QNToXJ__ux_S
  -gj.php?K=7&sm-=4&P=c&Une8aWi=0k&LK3S1=a&jmUBe_c=fL&Mku=0&_HUkAB=4&GzYQ0nUOC=7&VYOe8_UN=b&hw1ogfX=w1
• 2015-05-22 15:08:49 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/Arp3L5pvxSXeGrH1uN9m
• 2015-05-22 15:08:51 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/apU6ngiT9lSSSc5VMR-07yBTz1DGOuIYhV9vFbbQL.112202.228
• 2015-05-22 15:08:52 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/3r3jzgVk30KWH9qG-FPj-bSyBkgPM2mW-Ehcr8J-DYV
• 2015-05-22 15:08:52 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/aHGLyuw9UDO0eFNf4rYbqJ6uW1GstW-dfVq0z3Zp7.4060310
• 2015-05-22 15:08:52 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/ATQphcCTVVDMrcNGQjRMjy4ww7H2MG5kdc8McXd2p.910
• 2015-05-22 15:08:53 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/bWlSEnUxsvb7VoGU2MRRV8f6Eu7DGDu5-bc3ybKd1m
• 2015-05-22 15:08:55 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/cPqEPubGh7HNH1ecUGajR3tf6WV7HAMWIhbVeFXlZhC
• 2015-05-22 15:08:57 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/bWlSEnUxsvb7VoGU2MRRV8f6Eu7DGDu5-bc3ybKd1m.1
• 2015-05-22 15:08:59 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/cPqEPubGh7HNH1ecUGajR3tf6WV7HAMWIhbVeFXlZhC.1
• 2015-05-22 15:08:59 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/eUzPd0UNDEHHLwgMoFI0PRUF93WE21VJOwNI0c3FdKkWN
• 2015-05-22 15:09:06 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/eUzPd0UNDEHHLwgMoFI0PRUF93WE21VJOwNI0c3FdKkWN.1
• 2015-05-22 15:09:10 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/171qWEO0UM-3oFY2ZrRHeJBELPDb9GYKEc3bfKBKr
• 2015-05-22 15:09:14 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/171qWEO0UM-3oFY2ZrRHeJBELPDb9GYKEc3bfKBKr.1
• 2015-05-22 15:09:15 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/clC4Xciw6FLux9rw-JNRRfed6wsPvtDu-Kvc8eyIbQL
• 2015-05-22 15:09:17 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/fxUOJXzv0ThjD_B9ypG-VnrYAYyBhLMDftuNuhV0bv0ybf.1
• 2015-05-22 15:09:22 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/fxUOJXzv0ThjD_B9ypG-VnrYAYyBhLMDftuNuhV0bv0ybf.1.1

 

FIESTA EK AFTER HACKNMOD.COM:

• 2015-05-22 15:32:02 UTC - 108.168.205.77 - hacknmod.com - GET /
• 2015-05-22 15:32:03 UTC - 136.243.227.9 - muskiert.org - GET /XuIhmGMLWPqNwrk--Z-ji_YSv/RIiT-/QhLNj-w_HlgW-SxYJuX-IUO.php?uN-=Y6mNe7kfj8-3qpe35hc4Ofcbl1
• 2015-05-22 15:32:10 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/UVY2ym6EIJFRVIiPz-ur
• 2015-05-22 15:32:12 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/1r5hoLXG94FMSGUT1RhF1P9Nk8_Q1WNNKV8fhKC8c.140000.125
• 2015-05-22 15:32:14 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/AY_HmItSxk695GhhZoIcR19OcqEqDzRuIV3fU-Maw
• 2015-05-22 15:32:18 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/AY_HmItSxk695GhhZoIcR19OcqEqDzRuIV3fU-Maw.1
• 2015-05-22 15:32:25 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/bdzIrvbbcprWC5ch6YRhiY13xWroJ1GNuXVbQTbhr1

 

FIESTA EK AFTER FORUM.THEGRADCAFE.COM:

• 2015-05-22 15:44:51 UTC - 212.13.201.11 - forum.thegradcafe.com - GET /
• 2015-05-22 15:44:51 UTC - 136.243.224.10 - fogelicy.org - GET /RiuWSGlVZKOJ_-zqTvQUrw/NIG/jK-PxQZ-mUgtiqV/P_T_XIsUjSx-n.php?qYXv=88zzd&g=bdRPas&
  SbC=aaTd&KIX2u-_=ueW81&_N=7c1&JbzO=eJ1i1&FTe5V-=s89T7&VpBNH_=cM19&dniV_yj4=2a1
• 2015-05-22 15:44:55 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/jFlVEMh7HdiRGnCYGN-H
• 2015-05-22 15:44:57 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/3FMb3xkkMsqsQ1qGIynRU38PR8uGpqqwIKfcesbIYX8.140000.125
• 2015-05-22 15:45:00 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/6AU72x95NWzSXKEDDrFRMio5GRMhtuzEPpwYWKc9GvKmRi
• 2015-05-22 15:45:04 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/6AU72x95NWzSXKEDDrFRMio5GRMhtuzEPpwYWKc9GvKmRi.1
• 2015-05-22 15:45:09 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/CnWLmCAESUFJO0oGhvtNIFj7R7ucdACwNkbc3QTbkOx
• 2015-05-22 15:45:10 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/cNX4RhvWotj6I9eFIf9RYGe1ReLGqfoWY-JVr1VI8HW
• 2015-05-22 15:45:10 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/cNX4RhvWotj6I9eFIf9RYGe1ReLGqfoWY-JVr1VI8HW
• 2015-05-22 15:45:11 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/13e1FGKouefVecYctoI2CMhS6cKvSw5UKVegvlWKr.1
• 2015-05-22 15:45:16 UTC - 205.234.186.115 - liveblueold.eu - GET /bhxgu6tw/13e1FGKouefVecYctoI2CMhS6cKvSw5UKVegvlWKr.1.1

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcaps:  2015-05-22-Fiesta-EK-pcaps.zip
• ZIP of the malware:  2015-05-22-Fiesta-EK-artifacts-malware.zip

Click here to return to the main page.