2015-07-07 - BIZCN GATE ACTOR NUCLEAR EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-07-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
• 2015-07-07-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 206.127.24[.]11 port 80 - rugerforum[.]net - Compromised website
• 136.243.25[.]241 port 80 - sansaiaarias[.]com - BizCN-registered gate
• 107.191.63[.]163 port 80 - newsolar[.]ga - Nuclear EK

 

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE

• 2015-07-07 19:51:07 UTC - rugerforum[.]net - GET /
• 2015-07-07 19:51:08 UTC - sansaiaarias[.]com - GET /gslY-ikyXwnztJ/kgxXpGIuJMv.js?
  _WgYt=e74&-kbnp_0SO=db-3>Hl8VCp-=5u5-c&XmZq=0-f4&IWT2qSO=y2c-6&_8Gqrs=695_&r509e=96x1&9B=1Z_bfH&wE1=wcG

 

NUCLEAR EK

• 2015-07-07 19:51:19 UTC - newsolar[.]ga - GET /WkhXUEVKSggeX1FPRVYOUEYWUVg.html
• 2015-07-07 19:51:20 UTC - newsolar[.]ga - GET /U0ESTVhJA1gTQ0gJSgoeX1FPRVYOUEYWUVgeBwIWBwFVHwIMGAtRA0gJAgpUAw0AAA5bTVJUBw
• 2015-07-07 19:51:20 UTC - newsolar[.]ga - GET /UFAOVEhURwwDQEZEB0VRTVpdQUoNXVVKGF4DTQIOGAhaBhoOAhdQAgZEBw1RBwYBDg9VCEgNSnQjdFFqeHweAA

 

Click here to return to the main page.