2015-08-19 - BIZCN GATE ACTOR NUCLEAR EK FROM 31.214.157.20 - BLIZFONE.CF

PCAP AND MALWARE:

• ZIP of the PCAP:  2015-08-19-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-08-19-BizCN-gate-actor-Nuclear-EK-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• Did not get the malware payload.  Only saw the EK send a Flash exploit.  Was running Flash 18.0.0.209, which is apparently not out-of-date enough for Nuclear EK right now.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK on 107.191.63.163 - various domains
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188.92 - newsolar.ga
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187.29 - alefreed.ml
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220.196 - joston2.xyz
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167.124 - andrian2.xyz
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131.131 - foundhere.xyz & namesoizze.xyz
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114.126 - imhed.xyz
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120.33 - andsoresto.link
• 2015-07-30 - BizCN gate actor Nuclear EK on 46.101.18.39 - mukasore.xyz & florenses.xyz
• 2015-08-14 - BizCN gate actor Nuclear EK on 89.238.181.74 - free3dprint.cf
• 2015-08-19 - BizCN gate actor Nuclear EK on 31.214.157.20 - blizfone.cf  (this blog post)

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.woogerworks.com - Compromised website
• 136.243.25.245 port 80 - stranieistor.com - BizCN-registered gate
• 31.214.157.20 port 80 - blizfone.cf - Nuclear EK

 

COMPROMISED WEBSITE AND REDIRECT:

• 2015-08-19 00:43:27 UTC - www.woogerworks.com - GET /
• 2015-08-19 00:43:28 UTC - stranieistor.com - GET /zuxsWIimQnKZ/zqR-n-WuOPrU_N_Vw/Nvy--_mM-R_VkPZS.js?FLmQr=4Wfx&Dh=c-4&cbumC-V=09&pXT=fc&
  XUP=fds&B_g_-_Tv=awfo&7-TEJy4Q6=_cs7&A=53&AZzHg_Ky=a

 

NUCLEAR EK:

• 2015-08-19 00:43:30 UTC - blizfone.cf - GET /search?q=dAFtYURcHAA&BRo=7e1626&Ovcz=bEYH1UETF&j3XHK2l=cMYV0hUWFAe&DeyMr=86984e7c&1s7=aD1pSUU
• 2015-08-19 00:43:30 UTC - blizfone.cf - GET /search?q=dAFtYURcHAA&BRo=7e1626&Ovcz=bEYH1UETF&j3XHK2l=cMYV0hUWFAe&DeyMr=86984e7c&1s7=aD1pSUU
• 2015-08-19 00:43:30 UTC - blizfone.cf - GET /test?MqPs=85777ed1&Xbl1mz=dQBQUw&MPz=9c2729809&jcbhbi=aA0xGSEAFVExc&WMNlXq=bSAgYX0hUWFAeAFtYU
  RcHAEgHAwpKVwMCGghdVho&IKR=cHDAkYVwAFD&xcclz=eQHBEUCCgc

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the PCAP:  2015-08-19-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
• ZIP file of the malware:   2015-08-19-BizCN-gate-actor-Nuclear-EK-artifacts.zip

NOTE:  All ZIP archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.