2015-07-22 - NUCLEAR EK CHANGES URL PATTERNS

PCAPS AND MALWARE:

• ZIP of the PCAP:  2015-07-22-Nuclear-EK-traffic.zip
• ZIP of the malware:  2015-07-22-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• Kafeine tweeted about this yesterday on 2015-07-21 ( link ), where Nuclear EK's URL patterns look a lot more like Anger EK now.
• Kafeine's post provides a quick Pastebin link with examples of the URL patterns at:  http://pastebin.com/raw.php?i=79UfNMWQ
• Today, I'm posting 3 examples of Nuclear EK with these new URL patterns:  one by the Windigo group, one by the BizCN gate actor, and another example.

 

FIRST EXAMPLE:  WINDIGO GROUP NUCLEAR EK

ASSOCIATED DOMAINS:

• filestore72.info - Compromised web site
• 184.75.208.115 port 80 - 2aq3yszjpdplaaoiyxvf99g.itsafact.info - Redirection domain
• 184.75.208.115 port 80 - 7187n9dq2m48y2i4i1wpmpj.itsafact.info - Nuclear EK
• 198.27.78.145 port 39632 - no domain - Post-infection Glupteba callback
• 198.27.76.97 port 51975 - no domain - Post-infection Glupteba callback

 

COMPROMISED WEBSITE AND CUSHION REDIRECT:

• 2015-07-22 16:30:29 UTC - filestore72.info - GET /download.php?id=4d29b9a5

• 2015-07-22 16:30:30 UTC - 2aq3yszjpdplaaoiyxvf99g.itsafact.info - GET /index.php?k=enlqd3VpeT1hdmRsem16aW4mdGltZT0xNTA3MjIxNjI3NTgyMzI3NzU5JnNyYz0
  3NiZzdXJsPWZpbGVzdG9yZTcyLmluZm8mc3BvcnQ9ODAma2V5PTZCOTZBQTc1JnN1cmk9L2Rvd25sb2FkLnBocCUzZmlkPTRkMjliOWE1

• 2015-07-22 16:30:31 UTC - 2aq3yszjpdplaaoiyxvf99g.itsafact.info - GET /watch.php?iyyho=MTA3NjU5ZDY2MDdlNTY5ZGQ1YmVlZDZjYjk5NTZhZTE2

 

NUCLEAR EK:

• 2015-07-22 16:30:32 UTC - 7187n9dq2m48y2i4i1wpmpj.itsafact.info - GET /search?q=aClpUXEtJAQRVSU8AHwMBAQRbWlBBC14BW00&mMoJ=cESlJTAldE&
  4asydl=6b4d93cc6&Eg94=bCUAdcUkNAVENfTV1&8DInuO=dF1pbBVs&Y3aSWl=029da294d3

• 2015-07-22 16:30:33 UTC - 7187n9dq2m48y2i4i1wpmpj.itsafact.info - GET /search?q=cEEVxoCCQB&SiiCQD=bQRbWlBBC14BW00CUAdcUkNAVENfTV1ES
  lJTAldEF1pbBVtMAAIbUQcIFw&QqbOLjL=33f99e2&fqgOS=538ce1e&hKnal=dJUgADDgYNUQ&JbXRg=aBkxARVEFBkRMDE8BHwMBA&rXt=eIDC09TDwc

• 2015-07-22 16:30:35 UTC - 7187n9dq2m48y2i4i1wpmpj.itsafact.info - GET /search?q=d0HUgAeCwMG&XFxd=fFtmAFx6U1tJUg&lgm=9c1018a&MQR=
  29a4ca6a6c&NLxdgG=eHwUECgQAWwYGCgFJVEhgV&bRG=aBV1cXE9XU1FARQZJV0gHCAsCDQ1USAFYVwxJC1oBCgVHS&ylXWX=cTTR1cDV
  JfRQoETQYDAR&Ain=bV5FCRpZTUBUBVV

 

SOME OF THE POST-INFECTION TRAFFIC CAUSED BY THE GLUPTEBA MALWARE PAYLOAD:

• 2015-07-22 16:30:43 UTC - 198.27.78.145 port 39632 - GET /stat?uid=100&downlink=1111&uplink=1111&id=001FB866&statpass=bpass&version=21150720&
  features=30&guid=e918e400-b6cc-4cb8-8138-b830facb363e&comment=21150720&p=0&s=

• 2015-07-22 16:31:12 UTC - www.google.com - GET /robots.txt

• 2015-07-22 16:31:37 UTC - 198.27.76.97 port 51975 - GET /stat?uid=100&downlink=1111&uplink=1111&id=002089F7&statpass=bpass&version=21150720&
  features=30&guid=e918e400-b6cc-4cb8-8138-b830facb363e&comment=21150720&p=1&s=108.163.245.234:49053,184.154.142.226:13208,198.27.76.97:51975

 

SECOND EXAMPLE:  BIZCN GATE ACTOR NUCLEAR EK

ASSOCIATED DOMAINS:

• forum.freeadvice.com - Compromised web site
• 136.243.25.242 port 80 - skalelinasa.com - BizCN registered gate
• 178.62.179.76 port 80 - omapsget.link - Nuclear EK
• 54.169.9.2 port 80 - th.kidlander.com - Post-infection callback from CryptoWall 3.0
• 195.210.46.104 port 80 - arabella.kz - Post-infection callback from CryptoWall 3.0
• 184.168.47.225 port 80 - guypjones.com - Post-infection callback from CryptoWall 3.0
• 85.204.50.99 port 80 - bibubracelets.ro - Post-infection callback from CryptoWall 3.0
• 107.6.184.22 port 80 - fotosoimagenes.com - Post-infection callback from CryptoWall 3.0
• 184.168.47.225 port 80 - africanadvances.com - Post-infection callback from CryptoWall 3.0
• 66.147.242.164 port 80 - 3dfactorymexico.com - Post-infection callback from CryptoWall 3.0
• 89.40.32.180 port 80 - leooptic.ro - Post-infection callback from CryptoWall 3.0
• 213.238.166.230 port 80 - beybladeoyunlari.org - Post-infection callback from CryptoWall 3.0
• 103.28.39.102 port 80 - gachcbv.com - Post-infection callback from CryptoWall 3.0
• 212.90.148.53 port 80 - antikerie.de - Post-infection callback from CryptoWall 3.0
• 5.153.10.229 port 80 - businesscod.com - Post-infection callback from CryptoWall 3.0
• 84.2.35.134 port 80 - rolandapartman.hu - Post-infection callback from CryptoWall 3.0
• 209.251.58.142 port 80 - husseinbahadi.com - Post-infection callback from CryptoWall 3.0

 

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-22 16:55:10 UTC - forum.freeadvice.com - GET /
• 2015-07-22 16:55:11 UTC - skalelinasa.com - GET /xPtZLKkY-zXm_SMsIq-/oY.php?s-L0lR=6ue769&Z=de9-b_-0&weQhz9=_8PaQKc-e2&PeK=a3

 

NUCLEAR EK:

• 2015-07-22 16:55:14 UTC - omapsget.link - GET /search?q=aD1ZXXU9MAlcCU0JMV0RcV&ESzTK6Y=65ff4a&vuT=08b9ef35e&A8jV=bVZAFV9&cxujlGu=cWTBlcD1ZY

• 2015-07-22 16:55:14 UTC - omapsget.link - GET /search?q=bRAZMU0RcVVZAFV9WTBlc&gCU=fQACGgkHCwAFXgwCCQNMAFQA&LszQ=aA0BDRFNfV1NG&
  pDEJ=eQEdC&GIL=dAAYeU&HbSwF=cD1ZYRAYAURYC&AVIoQ=93f74cf7&LbOU=1a5cf3

• 2015-07-22 16:55:16 UTC - omapsget.link - GET /search?q=cg9PU05iDWF4bksB&ZagF=aAFFfXUtUCQlYTUsBGg1PV1pRFktUXUMeClFdU0sBVg8dCQ8BSA8KF&
  PCJ=9c120399c0<w=7feb8d&XQKTjPM=bgYHVEQCDAQHUwAHCQYEG

 

POST-INFECTION TRAFFIC CAUSED BY THE CRYPTOWALL 3.0 PAYLOAD:

• 2015-07-22 16:55:26 UTC - ip-addr.es - GET /
• 2015-07-22 16:55:27 UTC - th.kidlander.com - POST /wp-content/plugins/wp-db-backup-made/b.php?t=vhe4cw66iab2
• 2015-07-22 16:55:28 UTC - arabella.kz - POST /wp-content/plugins/wp-db-backup-made/a.php?x=vhe4cw66iab2
• 2015-07-22 16:55:30 UTC - guypjones.com - POST /wp-content/themes/twentyeleven/a.php?x=vhe4cw66iab2
• 2015-07-22 16:55:31 UTC - bibubracelets.ro - POST /wp-content/themes/twentytwelve/e.php?x=vhe4cw66iab2
• 2015-07-22 16:55:31 UTC - noracaron.com - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/a.php?f=vhe4cw66iab2
• 2015-07-22 16:55:33 UTC - www.noracaron.com - GET /contact/
• 2015-07-22 16:55:34 UTC - fotosoimagenes.com - POST /wp-content/plugins/wp-mobile-edition/admin/includes/mobile_themes/mTheme-Unus/images/
  blue/a.php?p=vhe4cw66iab2
• 2015-07-22 16:55:35 UTC - www.fotosoimagenes.com - GET /
• 2015-07-22 16:55:40 UTC - hotfrance.ru - POST /wp-content/themes/dreamynight-10/a.php?k=vhe4cw66iab2
• 2015-07-22 16:55:41 UTC - africanadvances.com - POST /wp-content/plugins/updraftplus/oc/guzzle/Guzzle/Service/Command/LocationVisitor/Request/
  a.php?s=vhe4cw66iab2
• 2015-07-22 16:55:45 UTC - 3dfactorymexico.com - POST /foro/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/
  c.php?d=vhe4cw66iab2
• 2015-07-22 16:55:47 UTC - leooptic.ro - POST /wp-content/themes/twentytwelve/c.php?h=vhe4cw66iab2
• 2015-07-22 16:55:48 UTC - beybladeoyunlari.org - POST /wp-content/themes/twentytwelve/b.php?z=vhe4cw66iab2
• 2015-07-22 16:56:19 UTC - gachcbv.com - POST /plugins/system/plg_system_rewrite/a.php?y=vhe4cw66iab2
• 2015-07-22 16:56:20 UTC - antikerie.de - POST /wp-content/plugins/revslider/css/jui/new/images/d.php?x=vhe4cw66iab2
• 2015-07-22 16:56:51 UTC - businesscod.com - POST /tmp/e.php?f=vhe4cw66iab2
• 2015-07-22 16:56:52 UTC - ibjja.com - POST /blog/wp-content/plugins/scribe/lib/history/views/meta-box/c.php?z=vhe4cw66iab2
• 2015-07-22 16:56:53 UTC - rolandapartman.hu - POST /de/wp-content/plugins/wp-db-backup-made/e.php?j=vhe4cw66iab2
• 2015-07-22 16:56:57 UTC - husseinbahadi.com - POST /wp-content/uploads/b.php?b=vhe4cw66iab2

 

THIRD EXAMPLE:  OTHER NUCLEAR EK

ASSOCIATED DOMAINS:

• 46.101.63.163 port 80 - abgyhutytrecxnme.ga - Nuclear EK

 

NUCLEAR EK:

• 2015-07-22 17:39:26 UTC - abgyhutytrecxnme.ga - GET /search?q=dd&sD1=bERKT&23ETmb=aUF9WAEhPSQNXAVlQRQQHGVFRXkhaE&fRtY=fQcAlE&qGXso=
  eVF&jxpyAoq=cUNXBkh&yMnaZk=35d68f2&CCmF=4ba67d6d

• 2015-07-22 17:39:27 UTC - abgyhutytrecxnme.ga - GET /search?q=aXElCGUABXFVbBkwGD&RoU=51868a&xVQaFDS=6d86e1&jSiwSW=dcHFwMGXUwCDQIFU
  AgFDgcEGVZfCg&rhWKD=cQV9fAB5UWE0DXQQdCAcGSw&iGwYzt=bE0DXQVPWFNVHFhGTUhGF1VQ

• 2015-07-22 17:39:31 UTC - abgyhutytrecxnme.ga - GET /search?q=3234e5&JhDKPu=aX1heAExDC1RWDFNPDAROVAgGRVBQAklbTEVLEUJWWklcCF&iIZA=
  34926281&KwpptY=dUBUgULDwYEU0wERWd8KXhYRQA&rIQQxrN=cEDR8AUQhPCA&OyoqI=bUdXlBOVAgHFwAEUR4

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-07-22-Nuclear-EK-traffic.zip
• ZIP of the malware:  2015-07-22-Nuclear-EK-malware-and-artifacts.zip

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.