2015-07-14 - BIZCN GATE ACTOR NUCLEAR EK ON 108.61.167.124
PCAP AND MALWARE:
- Zip archive of the pcap(s): 2015-07-14-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
- Zip archive of the malware: 2015-07-14-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip
NOTES:
- More follow-up traffic & malware for an article I wrote at: https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
- My previous blog posts tracking BizCN gate actor Nuclear EK:
- 2015-07-05 - BizCN gate actor using Nuclear EK (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
- 2015-07-07 - BizCN gate actor Nuclear EK (EK on 107.191.63.163)
- 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
- 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
- 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196
- 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124 (this blog post)
TRAFFIC
ASSOCIATED DOMAINS:
- www.nano-reef.com - Compromised website
- 136.243.224.10 port 80 - omaidett.com - BizCN-registered gate
- 108.61.167.124 port 80 - andrian2.xyz - Nuclear EK
COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:
- 2015-07-14 11:37:04 UTC - www.nano-reef.com - GET /
- 2015-07-14 11:37:05 UTC - omaidett.com - GET /zgGn/hU-QzrJV-mI-__TlntuK/KPyjZN_UisWH-vulp.js?sw=1Yf8&FCPcq-R-O=-cd5&qGtZ=m6lem1&5-FCtoN2-=bTcXfj&
hB=daK7
NUCLEAR EK:
- 2015-07-14 11:37:08 UTC - andrian2.xyz - GET /DhQMVBZfGlQaAA9XFAwHD1MdHhwc.html
- 2015-07-14 11:37:09 UTC - andrian2.xyz - GET /Ax0WHQlCDFARDR0CGlcaAA9XFAwHD1MdHhwcHVcFSFReVk8FXktUUlhPV1FVV1kEVV1UWR1VClY
- 2015-07-14 11:37:09 UTC - andrian2.xyz - GET /AAwKBB1bFw9TFg1PVxlUHQBdAhcPAA8BSB0fGx0FUEtXWVYdUF1IU1IKGlRSUlcLUVZeU1lPUxkCDStXFxlX
- 2015-07-14 11:37:28 UTC - andrian2.xyz - GET /AAwKBB1bFw9TFg1PVxlUHQBdAhcPAA8BSB0fGx0FUEtXWVYdUF1IU1IKGlRSUlcLUVZeU1lPURkCDStXFxlX
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap(s): 2015-07-14-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
- Zip archive of the malware: 2015-07-14-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.