2015-07-13 - BIZCN GATE ACTOR NUCLEAR EK ON 185.92.220.196

PCAP AND MALWARE:

• ZIP archive of the pcaps:  2015-07-13-BizCN-gate-actor-Nuclear-EK-paps.zip
• ZIP archive of the malware:   2015-07-13-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
• Today, the BizCN gate actor's Nuclear EK traffic was at 185.92.220.196.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS - EXAMPLE 1 OF 2:

• www.longrangehunting.com - Compromised website
• 136.243.25.241 port 80 - frekassaandme.com - BizCN-registered gate
• 185.92.220.196 port 80 - joston2.xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - EXAMPLE 1 OF 2:

• 2015-07-13 17:03:42 UTC - www.longrangehunting.com - GET /
• 2015-07-13 17:03:43 UTC - frekassaandme.com - GET /wVJqGvjH/nuo_xJkNs-P/XjR.js?a_YA=3MaIf&_=0Z7W1&B__jQ5=a1q6&oZw-AH9=H7-3Kf&3=bdfP&
  Z_Eec2--w=dU11&-3yK=L56tG9&C_=18-9&9zv1=dPYf

NUCLEAR EK - EXAMPLE 1 OF 2:

• 2015-07-13 17:04:04 UTC - joston2.xyz - GET /ARBXD1oeUx8OWEoWDQ1WGUEbGA.html
• 2015-07-13 17:04:05 UTC - joston2.xyz - GET /BxsUS1oRUVsHSwgeUR8OWEoWDQ1WGUEbGB9dAhdTV1dKBQpSTFFQD0VTVlBSDwlVUldQS18OUQ
• 2015-07-13 17:04:05 UTC - joston2.xyz - GET /BAoIUkUBEVBcVEVTHlAYXVYRFgwKBRcaGxkYDgxMU1ZQGQtRUk1WAwEeU1dXAQFSVVNQA0VXHgIOYVgoMzssSwg

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• www.visajourney.com - Compromised website
• 136.243.25.242 port 80 - margaritailles.com - BizCN-registered gate
• 185.92.220.196 port 80 - joston2.xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-13 17:29:37 UTC - www.visajourney.com - GET /
• 2015-07-13 17:29:38 UTC - margaritailles.com - GET /-IkqzsZMW-wXrG_hLNY/PQjvw/J.php?QkVB-u6K-=l0q5h-86-889J8eU&QAco=be9-c926f5&wd_0uc63D=cj

NUCLEAR EK:

• 2015-07-13 17:29:48 UTC - joston2.xyz - GET /DxQATl8VHlIYXVYRFgwKBRcaGxk.html
• 2015-07-13 17:29:48 UTC - joston2.xyz - GET /BxsUS1QVBhoCQEVTHlAYXVYRFgwKBRcaGxkYDwlMUFdXGQhVVE1VBAgeU1dXAQFSWlZcD0UEDlA
• 2015-07-13 17:29:49 UTC - joston2.xyz - GET /BAoIUkUPFQcdUU4eUx9XS1MNERcLWQtMGhoeSwFSTFFQBBdTVVVKBgpTHlJQBA9aUltRDwEeVx8Gb2kMIzIQSwg
• 2015-07-13 17:29:54 UTC - joston2.xyz - GET /BAoIUkUPFQcdUU4eUx9XS1MNERcLWQtMGhoeSwFSTFFQBBdTVVVKBgpTHlJQBA9aUltRDwEeVR8Gb2kMIzIQSwg

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2015-07-13-BizCN-gate-actor-Nuclear-EK-paps.zip
• ZIP archive of the malware:   2015-07-13-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.