2015-07-09 - BIZCN GATE ACTOR NUCLEAR EK ON 104.238.187.29

PCAP AND MALWARE:

• ZIP archive of the traffic (all 4 pcaps):  2015-07-09-BizCN-gate-actor-Nuclear-EK-pcaps.zip
• ZIP file of the malware (all examples):  2015-07-09-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
• Today, the BizCN gate actor Nuclear EK traffic moved from 108.61.188.92 (yesterday) to 104.238.187.29 (still a Choopa/Vultr IP address).
• This makes the third Choopa/Vultr IP address I've seen used by this actor.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29

 

TRAFFIC

ASSOCIATED DOMAINS - EXAMPLE 1 OF 4:

• www.coffeeforums.com - Compromised website
• 148.251.187.233 port 80 - nealychy.org - BizCN gate for www.coffeeforums.com
• 104.238.187.29 port 80 - mediafe.in - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - EXAMPLE 1 OF 4:

• 2015-07-09 15:00:44 UTC - www.coffeeforums.com - GET /
• 2015-07-09 15:00:46 UTC - nealychy.org - GET /wQ/tJs-qTr-hX-nxUlzLiVu/oO_w-HzmtY-XQx.php?
  5kWuonHgX=5L8Ge9&H7pefY_gO=48-ca&P_-ZgG6-=e2n9r5&2fZs=s0-dfd&neUIoh=0P6f5&DG=4u025&WYvm-=1R252z

NUCLEAR EK - EXAMPLE 1 OF 4:

• 2015-07-09 15:00:58 UTC - mediafe.in - GET /G0RbUUUJHltQUVBZBFMbXFc.html
• 2015-07-09 15:00:59 UTC - mediafe.in - GET /B05FSUBKDFJJBEULHltQUVBZBFMbXFdEWgYbBw0LTAcCAhcPVUoEAQoOVgMBBQwAHlBZBg
• 2015-07-09 15:00:59 UTC - mediafe.in - GET /BF9ZUEVBEFhRSQhEUUpYUF1RA1BQG1BWHg4FGwsMURgEAg4WVQFJBA0LVAIAAQkNWkoASUBrM3pzfl12AUoE

 

ASSOCIATED DOMAINS - EXAMPLE 2 OF 4:

• www.iwsti.com - Compromised website
• 136.243.224.10 port 80 - nealychy.com - BizCN gate for www.iwsti.com
• 104.238.187.29 port 80 - mediafe.in - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - EXAMPLE 2 OF 4:

• 2015-07-09 15:21:23 UTC - www.iwsti.com - GET /
• 2015-07-09 15:21:24 UTC - nealychy.com - GET /nq/YV-IrStQ-UnX_MjmKuq-hivg.js?
  UePL12Zm=6799&67_B0Ql=3O9dJ1&_8i9-_-V=36OS5jU2V&-JGy=bq2db&hwzrlD0n=85Rb8&v=du0Y3ne&_yY8=4r3

NUCLEAR EK - EXAMPLE 2 OF 4:

• 2015-07-09 15:21:35 UTC - mediafe.in - GET /EEFYVF1EU0pYUF1RA1BQG1BW.html
• 2015-07-09 15:21:36 UTC - mediafe.in - GET /B05FSUtPD1dRSQhEUUpYUF1RA1BQG1BWHgMbAwsWVhgHBgBEUwIGAw0NVwQMAEVeDgU
• 2015-07-09 15:21:36 UTC - mediafe.in - GET /BF9ZUEVKFVtUUUUJHgVJWFxcC1dTUBdRDEoAGw8KTAIbBwoBHgcBBg8MVwMHDAxEV0plYnNwNXxNSQg
• 2015-07-09 15:21:49 UTC - mediafe.in - GET /BF9ZUEVKFVtUUUUJHgVJWFxcC1dTUBdRDEoAGw8KTAIbBwoBHgcBBg8MVwMHDAxEVUplYnNwNXxNSQg

 

ASSOCIATED DOMAINS - EXAMPLE 3 OF 4:

• boards.sportslogos.net - Compromised website
• 148.251.187.233 port 80 - blouneth.com - BizCN gate for boards.sportslogos.net
• 104.238.187.29 port 80 - mediafe.in - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - EXAMPLE 3 OF 4:

• 2015-07-09 15:30:41 UTC - boards.sportslogos.net - GET /
• 2015-07-09 15:30:42 UTC - blouneth.com - GET /ZnL-_I-RoSimHrx/Y_txiVH--j_GWUouZRXP_/wZ-st-KizOWPJnlTSVUh-.js?
  Pg=1c-cte3Z1bn79ye4xcVfRcqaeo2R5l33

NUCLEAR EK - EXAMPLE 3 OF 4:

• 2015-07-09 15:30:55 UTC - mediafe.in - GET /E11CVEUJHltQUVBZBFMbXFc.html
• 2015-07-09 15:30:57 UTC - mediafe.in - GET /B05FSUhTFVdJBEULHltQUVBZBFMbXFdEVxgDBxcKVxgEAAtEUwIGAw0NVw4AA0VeDgU
• 2015-07-09 15:30:58 UTC - mediafe.in - GET /BF9ZUEVJCUFUSQhEUUpYUF1RA1BQG1BWHgMbAwsWUAMbBAwKHgcBBg8MVwMNAA9EV0pgcU9sKUBJBA

 

ASSOCIATED DOMAINS - EXAMPLE 4 OF 4:

• www.tractorbynet.com - Compromised website
• 148.251.187.233 port 80 - trevisshows.com - BizCN gate for www.tractorbynet.com
• 104.238.187.29 port 80 - mediafe.in - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - EXAMPLE 4 OF 4:

• 2015-07-09 15:45:41 UTC - www.tractorbynet.com - GET /forums/rural-living/169575-winter-vs-spring-felling-trees.html
• 2015-07-09 15:45:43 UTC - trevisshows.com - GET /GXk/v_JX_/v_Nox/_IwS/YXuRUTyGI-Oh--MoiKrP.php?
  YwfAIe_o=550T4_b74&24B=5Z3pa8V27J2&z0REi6M=230j0N1I59&G_yW=43

NUCLEAR EK - EXAMPLE 4 OF 4:

• 2015-07-09 15:45:51 UTC - mediafe.in - GET /CwFXTFoBHgdJWFxcC1dTUBdRDA.html
• 2015-07-09 15:45:51 UTC - mediafe.in - GET /B05FSVAPAE9WDEUJHgVJWFxcC1dTUBdRDEoAGw8KTAQAGwgMUkoEAQoOVgMDAgwJHlBZBg
• 2015-07-09 15:45:52 UTC - mediafe.in - GET /BF9ZUEVRVVRMVgBEU0oGSVRdBl9UU1wWC1hJABcOUBgHABcJVgZJBA0LVAIAAw4NU0oASVt0DmJtSQg
• 2015-07-09 15:45:58 UTC - mediafe.in - GET /BF9ZUEVRVVRMVgBEU0oGSVRdBl9UU1wWC1hJABcOUBgHABcJVgZJBA0LVAIAAw4NU0oCSVt0DmJtSQg

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the traffic (all 4 pcaps):  2015-07-09-BizCN-gate-actor-Nuclear-EK-pcaps.zip
• ZIP file of the malware (all examples):  2015-07-09-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.