2015-07-30 - BIZCN GATE ACTOR NUCLEAR EK ON 46.101.18.39

PCAP AND MALWARE:

• ZIP with all the PCAP files:  2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic.zip (2.5 MB)
• ZIP file of the malware:  2015-07-30-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip (586 KB)

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• This traffic has the Flash exploit (CVE-2015-0522) effective against Flash Player version 18.0.0.203.
• Nuclear EK used by the BizCN gate actor sent CryptoWall 3.0 as the payload on 2015-07-30 (don't know what it was from the 2015-07-29 infection).
• Bitcoin address for this CryptoWall 3.0 sample's ransom payment was: 14ebF4oEvoqPtCFDASf8ASHv3jGtr41DGP (same as last time on 2015-07-17).

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63.163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114.126
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120.33
• 2015-07-30 - BizCN gate actor Nuclear EK on 46.101.18.39  (this blog post)

Been seeing a lot of this from the gate domains lately:

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.bluproducts.com - Compromised website seen on 2015-07-29
• orlandoinformer.com - Compromised website seen on 2015-07-30
• www.hidenanalytical.com - Compromised website seen on 2015-07-30
• forums.macnn.com - Compromised website seen on 2015-07-30
• www.playdota.com - Compromised website seen on 2015-07-30
• avic411.com - Compromised website seen on 2015-07-30

• 136.243.25.245 port 80 - stravitili.com - BizCN-registered gate for www.bluproducts.com
• 136.243.25.241 port 80 - stepanovichon.com - BizCN-registered gate for orlandoinformer.com
• 136.243.25.245 port 80 - blackkinas.com - BizCN-registered gate for www.hidenanalytical.com
• 136.243.224.10 port 80 - kroentro.com - BizCN-registered gate for forums.macnn.com
• 136.243.25.241 port 80 - markizalios.com - BizCN-registered gate for www.playdota.com
• 136.243.25.245 port 80 - atopront.org - BizCN-registered gate for avic411.com

• 46.101.18.39 port 80 - mukasore.xyz - BizCN gate actor Nuclear EK seen on 2015-07-29
• 46.101.18.39 port 80 - florenses.xyz - BizCN gate actor Nuclear EK seen on 2015-07-30

 

From the zip archive: 2015-07-29-BizCN-gate-actor-Nuclear-EK-traffic.pcap

• 2015-07-29 20:39:37 UTC - www.bluproducts.com - GET /

• 2015-07-29 20:39:38 UTC - stravitili.com - GET /-hTztvyKr-Pp-Ujgu_XJOlikq/q_IRQVw/-_VzHuO-G/_vu.php?f0XBLF3K=71&scCgz=_d2&O-hS8=m7P2&RwU0ri_=
  dN6&7-M=kb6Z&Cxf=3i4&cwi=89&oF7X_UVt=fqc&-yELI=ft9&JkB4Lr1=1vSb&m8BOd=3q

• 2015-07-29 20:39:42 UTC - mukasore.xyz - GET /search?q=bTV1GXVkVXkJW&x7LJP=dfSw&0d27=85bff50e&Iqtrz=cGEA&mqx=035c17c57&vDmQojv=
  aWF5XU0AaRlUAX0RX

• 2015-07-29 20:39:43 UTC - mukasore.xyz - GET /search?q=f4K&McEDT=9e45a6&rogNDw=cFBERXBQMLBAhUAg&EwHKHHe=eSl&Dfw=0e1f73e3&VbtVon=
  aVEhDSk8DAllPB0RQTV1GXVkVXkJWGEAfS0wCA&GWdF=gAg&YFJK=bA9IAAYDGAFeHwE&BWyFj=dgA

• 2015-07-29 20:39:46 UTC - mukasore.xyz - GET /search?q=27872afb3c&ayq=dRRTXZ&MAliGdA=epUXEIUkdgdWwaAA&rcz=6f599cd1a9&yRvqPM=
  cWAwMLBU&RNTQIGE=aV1lfU0QRVANaSgkaB0xeQ1MHQl9BUxYeSEpPBw5RHwEFBhZfCR&CNemMbk=b4CAAoaAAQADgp

 

From the zip archive: 2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic-example-1-of-5.pcap

• 2015-07-30 12:19:58 UTC - orlandoinformer.com - GET /

• 2015-07-30 12:20:02 UTC - stepanovichon.com - GET /Ii-toGJ/-LkjPOsqMUHi/N/ZJU-pk-s_P_uhx/P_-.js?uR=pb7er&xeF=r5H5gb&Z-M2A-xG=7Kf7&U7-H_=
  1a6H&VXSpz9x=P9_4e&Vr=ob14T&k5bp=e

• 2015-07-30 12:20:10 UTC - florenses.xyz - GET /search?q=cQZ&HHKzxB=6cd142e2&p5Gx6Uy=dWRl&k7V=aXFYHVhtEVwlR&lvDJ=e0QHRtBTw&kmy=
  7d24d4b24&KjKY=bT1JEU1QMQ

• 2015-07-30 12:20:11 UTC - florenses.xyz - GET /search?q=4dbd7289ad&rcsSmcl=cQtbAVYADQlTTwVUBg&HirHs=b0JBA1NAVIMGwpTAx8JA&LUw=
  3c429de6&lJKsO=aUEATTwEJB0RST1VEU1QMQQZWRl0QHRtBT0RUB0

• 2015-07-30 12:20:13 UTC - florenses.xyz - GET /search?q=aU1EPVh9aBAofAh8OSV4PXBFdW0sGQE1ATEIfBFcWBAlWHVEJ&dIW=594e8f045&AidVHML=
  cC1ENDQBSAx8PSW0pYSR_YnMfAg&yjU=4c8985ae2&lQcbof=bARZRA1NEBAxQ

 

From the zip archive: 2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic-example-2-of-5.pcap

• 2015-07-30 16:12:31 UTC - www.hidenanalytical.com - GET /en/

• 2015-07-30 16:12:33 UTC - blackkinas.com - GET /-iv-X-VgHMOI/u_-sx/mhWw_toxyZQqUr_/H_gVplx-OmLzXjiuoRW/Xlv-jOZJULSorx_gHqz_n.php?q9_U=
  88u&-DqTY_5yR=83&3=8-w5&--YiQyv=8z4-&zsw7Yq=3-bi&W_VF=2h5

• 2015-07-30 16:12:36 UTC - florenses.xyz - GET /search?q=2ed48ab0&kkUOS=399134f&gN6OFgU=bVQ9XR10&NxOY0=cNQAZLG0AaSQ&nAmqhq=
  aXFYHVhtEXltVQRIMSQkf

• 2015-07-30 16:12:36 UTC - florenses.xyz - GET /search?q=bQAZLG0AaSR8OARZSC1QWBwtSHV&zCGoko=cIKBURSB1AAB&ZazcZAF=eFYOSV4PAA&
  pbEANoB=dw9RB&ZnXWy=54b464&MWugKKm=7ac949&WRawFZ=aUEATTwhbA0oSBx8JSQ4fVQ9XR10N

• 2015-07-30 16:12:39 UTC - florenses.xyz - GET /search?q=0dfa134&mCZnwZL=dcQnYHf&yxNLsfu=cUTxp&euaDkAU=blsPGwpQAk0JBwgfAlcLDQpUAVQNA0R&
  IiFORID=2887a0&yfA=eCtV&mha=aU1EPVh9TVg4RQldEBERVTwVUWkoGXRBdRhYbShlEAwxNA&yeAxR=fR&qLcq=gkS

 

From the zip archive: 2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic-example-3-of-5.pcap

• 2015-07-30 16:53:10 UTC - forums.macnn.com - GET /

• 2015-07-30 16:53:15 UTC - kroentro.com - GET /_T-WIRK-nuO/IXTj--/-.js?-YJL-lr__=fa1&58Kv=2s2a&JT9wd-_Y=9a0o&G=35mf&-Fbc-=ao6a&x-lzcp_=
  d2-bO&iK7A=1ca&GiDP-C_k=y9K64-

• 2015-07-30 16:53:20 UTC - florenses.xyz - GET /search?q=dR10NQ&f4hovq=eAZLG&2S9h=f0AaSQ&gbF=55d808c9c2&GW3D=7300f1e52&NJDdP1=
  claSQkfVQ9X&kPd=bEIXSg&PRBD=aXFYHVhtET

• 2015-07-30 16:53:21 UTC - florenses.xyz - GET /search?q=gX1A&EqGu=dpUB&kXPb=aUEATTxpCQUEJU&xYfyww=cVcNGwpTAE0JDQ4fAlcLDQ&EBExne=
  3b5929827&iPBfViK=428c7b&iArkZ=el&jqUmN=fEIBUQF&HOy=bR8JSQ4fVQ9XR10NQAZLG0AaSR8JAgpNA

 

From the zip archive: 2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic-example-4-of-5.pcap

• 2015-07-30 17:26:31 UTC - www.playdota.com - GET /forums/

• 2015-07-30 17:26:32 UTC - markizalios.com - GET /T-XHmLt---sjvwlWPUixg/Ro_/gzwT-/oyNV_j.js?9gTLJvByi=sd9u09qeZeaS&OW-_j3-yh=v9ppcYfO77k8la&
  Gl8Nq-=c

• 2015-07-30 17:26:38 UTC - florenses.xyz - GET /search?q=095cc3&q5Iw=79fc09&hQq=bVEBEQ&bsq3t=aXFYHVhtETEwNRA&SdsWrC=cFXwxKUFYQVhAWTUEZ

• 2015-07-30 17:26:39 UTC - florenses.xyz - GET /search?q=024807&XUOD=aUEATTxpMW08FT1JEA0QFXwxKUFYQVhAWTUEZT1IBBxZSC1UWB&NXKjT=cSC&
  sdERv=bAxSHVUOSQlXAFsKAg9&pFwH=19ceaf7b99&OSJh=dltEU1RQ

• 2015-07-30 17:26:41 UTC - florenses.xyz - GET /search?q=bSQ4fVQ9XR10NQ&KCkcY=4cc62a&PaPsc=f0RSB1AABw9UAloASQ8fRBRBQnMfAg&cMfTI=
  dJDApNAlsO&zcq=cAZLG0AaSR8&lRmiD=65b3a67&kohmfG=aU1EPVh9BQVYUVR8J&zPYn=eGwlXAk0OA

 

From the zip archive: 2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic-example-5-of-5.pcap

• 2015-07-30 17:53:07 UTC - avic411.com - GET /

• 2015-07-30 17:53:08 UTC - atopront.org - GET /sj__NlSxZY/-IivX.js?FrunpVYo=570O22&rAF=U7J72b2&Kfei8kF=y8

• 2015-07-30 17:53:08 UTC - atopront.org - GET /RguzvKGn-mZNSyY/ZVqg/M-IUL.php?D=X0e5&Ht7cn6-q=f_6a&ysh3YFDr9=Kd_08&LWSQ=30-co&MkZSmy=e

• 2015-07-30 17:53:09 UTC - florenses.xyz - GET /search?q=fE&KrdzF=aXFYHVhtEQ0wEAwxE&fOE95V=cFYQVh&m8Do=eU&bRa0QhA=dAWT&c1v4f8=
  bBEQFXwxKU&Q7lBy=39d8d1&zaeO=9f10a9d3f2&ZSY=gZ

• 2015-07-30 17:53:10 UTC - florenses.xyz - GET /search?q=aUEATTxVMUggMT1JEA0QFXwxKUFYQVhAWTUEZT1EIABZRA1&UcEAT=fWQs&cmnMRp=
  bcWDQpNBVpE&omqHtEt=288ace97b2&HSzmE=cBAxQC1EPD&byfq=dQ9bC&IIYD=3241dc&IBHIVcv=eh9e

• 2015-07-30 17:53:11 UTC - florenses.xyz - GET /search?q=4cb89f0502&OAPrk=b1NAVMMGwBRHVUBSQlXAFsKAgBUC1pE&UTIMvh=
  aU1EPVh9OQV9TXB8JSQ4fVQ9XR10NQAZLG0AaSR8KBQ&XEmbWD=d-UFErYidvSQk&ZOfly=cAkQ6cRB&IOQe=4bbb06d8

 

CRYPTOWALL 3.0 TRAFFIC SEEN ON 2015-07-30:

• 172.246.241.236 port 80 - grizzlysts.com - one of the CryptoWall 3.0 callback domains
• 50.63.202.47 port 80 - biz-brokerage.com - one of the CryptoWall 3.0 callback domains
• 95.163.121.212 port 80 - 6i3cb6owitcouepv.speralpayopio.com - Viewing the decrypt instructions
• 95.163.121.212 port 80 - 6i3cb6owitcouepv.vremlotofpa.com - Viewing the decrypt instructions
• 6i3cb6owitcouepv.wolfwallstreetpay.com - One of the domains for the decrypt instructions that didn't resolve
• i3cb6owitcouepv.askhoweroption.com - One of the domains for the decrypt instructions that didn't resolve
• Bitcoin address for ransom payment: 14ebF4oEvoqPtCFDASf8ASHv3jGtr41DGP

 

From the zip archive: 2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic-example-2-of-5.pcap

• 2015-07-30 12:20:33 UTC - ip-addr.es - GET /
• 2015-07-30 12:20:34 UTC - biz-brokerage.com - POST /wp-content/plugins/wp-antibot-standart/rrr.php?s=wxcqfavj7vyq
• 2015-07-30 12:20:35 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?c=wxcqfavj7vyq
• 2015-07-30 12:20:37 UTC - biz-brokerage.com - POST /wp-content/plugins/wp-antibot-standart/rrr.php?a=dwz8unwqei
• 2015-07-30 12:20:38 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?c=dwz8unwqei
• 2015-07-30 12:20:42 UTC - biz-brokerage.com - POST /wp-content/plugins/wp-antibot-standart/rrr.php?o=ubggqavqb4h
• 2015-07-30 12:20:43 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?k=ubggqavqb4h
• 2015-07-30 12:20:51 UTC - biz-brokerage.com - POST /wp-content/plugins/wp-antibot-standart/rrr.php?f=73il9hi8pwy
• 2015-07-30 12:20:52 UTC - grizzlysts.com - POST /wp-content/uploads/rrr.php?h=73il9hi8pwy
• 2015-07-30 12:21:45 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /[info removed]
• 2015-07-30 12:21:47 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/style.css
• 2015-07-30 12:21:47 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/flags/us.png
• 2015-07-30 12:21:47 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/flags/it.png
• 2015-07-30 12:21:47 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/flags/fr.png
• 2015-07-30 12:21:47 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/flags/es.png
• 2015-07-30 12:21:47 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/flags/de.png
• 2015-07-30 12:21:48 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /picture.php?k=[info removed]&f7e360850339954a64553c3643c55f96
• 2015-07-30 12:21:49 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/lt.png
• 2015-07-30 12:21:49 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/rt.png
• 2015-07-30 12:21:49 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/lb.png
• 2015-07-30 12:21:49 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/rb.png
• 2015-07-30 12:21:51 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /favicon.ico
• 2015-07-30 12:21:55 UTC - 6i3cb6owitcouepv.speralpayopio.com - POST /[info removed]
• 2015-07-30 12:21:57 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/bitcoin.png
• 2015-07-30 12:21:57 UTC - 6i3cb6owitcouepv.speralpayopio.com - GET /img/button_pay.png
• 2015-07-30 12:22:24 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /[info removed]
• 2015-07-30 12:22:25 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/style.css
• 2015-07-30 12:22:25 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/flags/us.png
• 2015-07-30 12:22:26 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/flags/fr.png
• 2015-07-30 12:22:26 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/flags/it.png
• 2015-07-30 12:22:26 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/flags/es.png
• 2015-07-30 12:22:26 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/flags/de.png
• 2015-07-30 12:22:26 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /picture.php?k=[info removed]&af54335c0c7ba9948671f37019d0fb09
• 2015-07-30 12:22:27 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/lt.png
• 2015-07-30 12:22:27 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/rt.png
• 2015-07-30 12:22:27 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/lb.png
• 2015-07-30 12:22:27 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/rb.png
• 2015-07-30 12:22:29 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /favicon.ico
• 2015-07-30 12:22:34 UTC - 6i3cb6owitcouepv.vremlotofpa.com - POST /[info removed]
• 2015-07-30 12:22:36 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/bitcoin.png
• 2015-07-30 12:22:36 UTC - 6i3cb6owitcouepv.vremlotofpa.com - GET /img/button_pay.png

 

FINAL NOTES

Once again, here are the associated files:

• ZIP with all the PCAP files:  2015-07-30-BizCN-gate-actor-Nuclear-EK-traffic.zip (2.5 MB)
• ZIP file of the malware:  2015-07-30-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip (586 KB)

All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.