2015-07-17 - BIZCN GATE ACTOR NUCLEAR EK ON 188.166.120.33 SENDS CRYPTOWALL 3.0

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-07-17-BizCN-gate-actor-Nuclear-EK-and-CryptoWall-3.0-malware.zip
• ZIP file of the malware:  2015-07-17-BizCN-gate-actor-Nuclear-EK-and-CryptoWall-3.0-malware.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• This traffic has the latest Flash exploit (CVE-2015-0522) effective against Flash Player version 18.0.0.203.
• Today, Nuclear EK used by the BizCN gate actor sent CryptoWall 3.0 as the payload.
• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was: 14ebF4oEvoqPtCFDASf8ASHv3jGtr41DGP.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114.126
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120.33  (this blog post)

 

TRAFFIC

ASSOCIATED DOMAINS:

• orlandoinformer.com - Compromised website
• 136.243.25.241 port 80 - stepanovichon.com - BizCN-registered gate
• 188.166.120.33 port 80 - andsoresto.link - Nuclear EK
• ip-addr.es - IP address check by CryptoWall 3.0
• 85.204.50.99 port 80 - bibubracelets.ro - CryptoWall 3.0 check-in
• 195.210.46.104 port 80 - arabella.kz - CryptoWall 3.0 check-in

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-17 19:57:13 UTC - orlandoinformer.com - GET /
• 2015-07-17 19:57:17 UTC - stepanovichon.com - GET /mT_n-J/gJ/LsuUHz/TYt/yt.js?V-Qg=740-5T257vbade1Y5_0__b779q2Z1-5bx48G6r6a

NUCLEAR EK:

• 19:57:21 UTC - andsoresto.link - GET /QEBQAkoIS1AIUkVWRVQVQlkXW1gIXQ.html
• 19:57:21 UTC - andsoresto.link - GET /UkkWSkFIAQUaB0oKS1AIUkVWRVQVQlkXW1gIXUoPAR9XDgEXAQdIBwEOSwBSBQEIAQJWAgdFUV1V
• 19:57:25 UTC - andsoresto.link - GET /UVgKU0pORgdSSgdFBE0HWFJKWEMDRUJWGV0PWF1FAQdIBw4OGQdQGAcOAE1XAgUOBgdVBgIISwYaXVl4WUYRQkoI

POST-INFECTION TRAFFIC (CRYPTOWALL 3.0):

• 2015-07-17 19:57:30 UTC - ip-addr.es - GET /
• 2015-07-17 19:57:31 UTC - bibubracelets.ro - POST /wp-content/themes/twentytwelve/e.php?o=ayua0s9j24f
• 2015-07-17 19:57:31 UTC - arabella.kz - POST /wp-content/plugins/wp-db-backup-made/a.php?n=ayua0s9j24f
• 2015-07-17 19:57:44 UTC - bibubracelets.ro - POST /wp-content/themes/twentytwelve/e.php?j=075b3yxxzhg8
• 2015-07-17 19:57:44 UTC - arabella.kz - POST /wp-content/plugins/wp-db-backup-made/a.php?d=075b3yxxzhg8
• 2015-07-17 19:57:54 UTC - bibubracelets.ro - POST /wp-content/themes/twentytwelve/e.php?l=856g0fy7a8nz2
• 2015-07-17 19:57:55 UTC - arabella.kz - POST /wp-content/plugins/wp-db-backup-made/a.php?d=856g0fy7a8nz2
• 2015-07-17 19:58:10 UTC - bibubracelets.ro - POST /wp-content/themes/twentytwelve/e.php?o=bvortsts8z
• 2015-07-17 19:58:11 UTC - arabella.kz - POST /wp-content/plugins/wp-db-backup-made/a.php?e=bvortsts8z

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-07-17-BizCN-gate-actor-Nuclear-EK-and-CryptoWall-3.0-malware.zip
• ZIP file of the malware:  2015-07-17-BizCN-gate-actor-Nuclear-EK-and-CryptoWall-3.0-malware.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.