2015-07-16 - BIZCN GATE ACTOR NUCLEAR EK ON 216.170.114.126

PCAPS AND MALWARE:

• ZIP of the PCAPs:  2015-07-16-BizCN-gate-actor-Nuclear-EK-pcaps.zip
• ZIP file of the malware:   2015-07-16-BizCN-gate-actor-Nuclear-EK-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114.126 (this blog post)

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS:

• www.texashighways.com - Compromised website
• 136.243.25.242 port 80 - salsaandlili.com - BizCN-registered gate
• 216.170.114.126 port 80 - imhed.xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-16 14:26:19 UTC - www.texashighways.com - GET /events
• 2015-07-16 14:26:19 136.243.25.242 salsaandlili.com - GET /KoH_iYqh/-/-PS-_jInXu/vzp-TJlH-qNY/kzjgu---T-HnrZoKVUXGqPOJ.js?i_MFc=G3-0Nbp8&
  P6Zyn0qD=e6k82&jWzM=fdby3&He_YaQ=_c9q89_&Ov-bAK=7ed5M&2Ov_eA=5x1Z0-c&-k8s=6

NUCLEAR EK:

• 2015-07-16 14:26:26 UTC - imhed.xyz - GET /RAhRGgkYWgkLA1xKSx0Z.html
• 2015-07-16 14:26:27 UTC - imhed.xyz - GET /VhwTGk8IARhSGgoYWgkLA1xKSx0ZGg5WHVZQVRZRAUpSUQ4YAlBQUQhRBVNbUEQCX1c
• 2015-07-16 14:26:29 UTC - imhed.xyz - GET /VQ0PA0QTX1YfV0RWTw0ODl0AHRwaHERSAUpRVQtKBlZNVw9ST1VXVQ9UBlJUXg4YBBgvAnoTRiYfVw

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• pistolsmith.com - Compromised website
• 136.243.224.10 port 80 - burdiacs.org - BizCN-registered gate
• 216.170.114.126 port 80 - imhed.xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-16 14:40:35 UTC - pistolsmith.com - GET /
• 2015-07-16 14:40:36 UTC - burdiacs.org - GET /gqN---ZRi/nkQ-ST-oWixwtR.php?dDu-87--=e42aRe_dmb2pdW8d2-0a_08623ade-ayekfla9n203

NUCLEAR EK:

• 2015-07-16 14:40:48 UTC - imhed.xyz - GET /QAYKDkBTT1UfD1UMVgBNHkEe.html
• 2015-07-16 14:40:50 UTC - imhed.xyz - GET /VhwTGksGWgwbUURVT1YfD1UMVgBNHkEeT1VaXhZVA1FNVwlcHVVSUkRVB1dUVg1TBVBbGl4IAA

• NOTE: Got Nuclear EK, but no malware payload in this traffic.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP(s):  2015-07-16-BizCN-gate-actor-Nuclear-EK-pcaps.zip
• ZIP file of the malware:   2015-07-16-BizCN-gate-actor-Nuclear-EK-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.