2015-07-15 - BIZCN GATE ACTOR NUCLEAR EK ON 104.207.131.131

PCAP AND MALWARE:

• ZIP of the PCAP(s):  2015-07-15-BizCN-gate-actor-Nuclear-EK-pcaps.zip
• ZIP file of the malware:   2015-07-15-BizCn-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131 (this blog post)

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS:

• www.visajourney.com - Compromised website
• 136.243.25.242 port 80 - margaritailles.com - BizCN-registered gate
• 104.207.131.131 port 80 - foundhere.xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-15 14:48:30 UTC - www.visajourney.com - GET /
• 2015-07-15 14:48:30 UTC - margaritailles.com - GET /itmOJ-LhvN-r_yw/PzvO.js?R=ff44foraY1YaLe&Au-=5V7edf1Q30P3j&mojpwB-U=a-6d69QfbkcI_d

NUCLEAR EK:

• 14:48:33 UTC - foundhere.xyz - GET /VgIDDFYDTgAeUgoQXFUKURcAHEkbTg.html
• 14:48:34 UTC - foundhere.xyz - GET /V0kSSAFWUwlRUhlUTgMeUgoQXFUKURcAHEkbThlTBB9TDFJLBQJMBVZdTgBWB1NcBQBVBVYZVF1R
• 14:48:35 UTC - foundhere.xyz - GET /VFgOURkBAVBaBwMZA01QSAMKR18GXAAXVx8aTR8ZBAdMBV1SHAZRGlRWCk1TAFZTCwZTA1RWTgQeRTc2VFANSFQ
• 14:48:38 UTC - foundhere.xyz - GET /VFgOURkBAVBaBwMZA01QSAMKR18GXAAXVx8aTR8ZBAdMBV1SHAZRGlRWCk1TAFZTCwZTA1RWTgYeRTc2VFANSFQ

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• www.taurusarmed.net - Compromised website
• 148.251.187.233 port 80 - risalerr.org - BizCN-registered gate
• 104.207.131.131 port 80 - namesoizze.xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-15 15:43:02 UTC - www.taurusarmed.net - GET /forums/firing-line/62280-snub-nose-revolvers.html
• 2015-07-15 15:43:03 UTC - risalerr.org - GET /gNz_ps--TZ-J_UHMkjLG/-hW--MoNKQZigYStvO_/HgsYoW-G_.php?O5VJBXz0=be-m0dT45mcdMfn164Y18cad0196M-f-2-d

NUCLEAR EK:

• 2015-07-15 15:43:11 UTC - namesoizze.xyz - GET /UARERFBIVgBbXRJbURtMXU9MQRs.html
• 2015-07-15 15:43:12 UTC - namesoizze.xyz - GET /XRlGRAlRSh0HRFNIVgBbXRJbURtMXU9MQRtKC1AaC08HDVQaClAFRFAAC1cPD1UNAVBKXg0H

• NOTE: No malware payload was passed for this run (instead, the web browser crashed).

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP(s):  2015-07-15-BizCN-gate-actor-Nuclear-EK-pcaps.zip
• ZIP file of the malware:   2015-07-15-BizCn-gate-actor-Nuclear-EK-malware-and-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.