2015-07-22 - NUCLEAR EK CHANGES URL PATTERNS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-22-Nuclear-EK-traffic-3-pcaps.zip

 

NOTES:

• Kafeine tweeted about this yesterday on 2015-07-21 ( link ), where Nuclear EK's URL patterns look a lot more like Anger EK now.
• Kafeine's post provides a quick Pastebin link with examples of the URL patterns at:  https://pastebin.com/79UfNMWQ
• Today, I'm posting 3 examples of Nuclear EK with these new URL patterns:  one by the Windigo group, one by the BizCN gate actor, and another example.

 

FIRST EXAMPLE:  WINDIGO GROUP NUCLEAR EK

ASSOCIATED DOMAINS:

• filestore72[.]info - Compromised web site
• 184.75.208[.]115 port 80 - 2aq3yszjpdplaaoiyxvf99g.itsafact[.]info - Redirection domain
• 184.75.208[.]115 port 80 - 7187n9dq2m48y2i4i1wpmpj.itsafact[.]info - Nuclear EK
• 198.27.78[.]145 port 39632 - no domain - Post-infection Glupteba callback
• 198.27.76[.]97 port 51975 - no domain - Post-infection Glupteba callback

 

COMPROMISED WEBSITE AND CUSHION REDIRECT:

• 2015-07-22 16:30:29 UTC - filestore72[.]info - GET /download.php?id=4d29b9a5

• 2015-07-22 16:30:30 UTC - 2aq3yszjpdplaaoiyxvf99g.itsafact[.]info - GET /index.php?k=enlqd3VpeT1hdmRsem16aW4mdGltZT0xNTA3MjIxNjI3NTgyMzI3NzU5JnNyYz0
  3NiZzdXJsPWZpbGVzdG9yZTcyLmluZm8mc3BvcnQ9ODAma2V5PTZCOTZBQTc1JnN1cmk9L2Rvd25sb2FkLnBocCUzZmlkPTRkMjliOWE1

• 2015-07-22 16:30:31 UTC - 2aq3yszjpdplaaoiyxvf99g.itsafact[.]info - GET /watch.php?iyyho=MTA3NjU5ZDY2MDdlNTY5ZGQ1YmVlZDZjYjk5NTZhZTE2

 

NUCLEAR EK:

• 2015-07-22 16:30:32 UTC - 7187n9dq2m48y2i4i1wpmpj.itsafact[.]info - GET /search?q=aClpUXEtJAQRVSU8AHwMBAQRbWlBBC14BW00&mMoJ=cESlJTAldE&
  4asydl=6b4d93cc6&Eg94=bCUAdcUkNAVENfTV1&8DInuO=dF1pbBVs&Y3aSWl=029da294d3

• 2015-07-22 16:30:33 UTC - 7187n9dq2m48y2i4i1wpmpj.itsafact[.]info - GET /search?q=cEEVxoCCQB&SiiCQD=bQRbWlBBC14BW00CUAdcUkNAVENfTV1ES
  lJTAldEF1pbBVtMAAIbUQcIFw&QqbOLjL=33f99e2&fqgOS=538ce1e&hKnal=dJUgADDgYNUQ&JbXRg=aBkxARVEFBkRMDE8BHwMBA&rXt=eIDC09TDwc

• 2015-07-22 16:30:35 UTC - 7187n9dq2m48y2i4i1wpmpj.itsafact[.]info - GET /search?q=d0HUgAeCwMG&XFxd=fFtmAFx6U1tJUg&lgm=9c1018a&MQR=
  29a4ca6a6c&NLxdgG=eHwUECgQAWwYGCgFJVEhgV&bRG=aBV1cXE9XU1FARQZJV0gHCAsCDQ1USAFYVwxJC1oBCgVHS&ylXWX=cTTR1cDV
  JfRQoETQYDAR&Ain=bV5FCRpZTUBUBVV

 

SOME OF THE POST-INFECTION TRAFFIC CAUSED BY THE GLUPTEBA MALWARE PAYLOAD:

• 2015-07-22 16:30:43 UTC - 198.27.78[.]145 port 39632 - GET /stat?uid=100&downlink=1111&uplink=1111&id=001FB866&statpass=bpass&version=21150720&
  features=30&guid=e918e400-b6cc-4cb8-8138-b830facb363e&comment=21150720&p=0&s=

• 2015-07-22 16:31:12 UTC - www.google[.]com - GET /robots.txt

• 2015-07-22 16:31:37 UTC - 198.27.76[.]97 port 51975 - GET /stat?uid=100&downlink=1111&uplink=1111&id=002089F7&statpass=bpass&version=21150720&
  features=30&guid=e918e400-b6cc-4cb8-8138-b830facb363e&comment=21150720&p=1&s=108.163.245[.]234:49053,184.154.142[.]226:13208,198.27.76[.]97:51975

 

SECOND EXAMPLE:  BIZCN GATE ACTOR NUCLEAR EK

ASSOCIATED DOMAINS:

• forum.freeadvice[.]com - Compromised web site
• 136.243.25[.]242 port 80 - skalelinasa[.]com - BizCN registered gate
• 178.62.179[.]76 port 80 - omapsget[.]link - Nuclear EK
• 54.169.9[.]2 port 80 - th.kidlander[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 195.210.46[.]104 port 80 - arabella[.]kz - Post-infection callback from CryptoWall 3.0 ransomware
• 184.168.47[.]225 port 80 - guypjones[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 85.204.50[.]99 port 80 - bibubracelets[.]ro - Post-infection callback from CryptoWall 3.0 ransomware
• 107.6.184[.]22 port 80 - fotosoimagenes[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 184.168.47[.]225 port 80 - africanadvances[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 66.147.242[.]164 port 80 - 3dfactorymexico[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 89.40.32[.]180 port 80 - leooptic[.]ro - Post-infection callback from CryptoWall 3.0 ransomware
• 213.238.166[.]230 port 80 - beybladeoyunlari[.]org - Post-infection callback from CryptoWall 3.0 ransomware
• 103.28.39[.]102 port 80 - gachcbv[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 212.90.148[.]53 port 80 - antikerie[.]de - Post-infection callback from CryptoWall 3.0 ransomware
• 5.153.10[.]229 port 80 - businesscod[.]com - Post-infection callback from CryptoWall 3.0 ransomware
• 84.2.35[.]134 port 80 - rolandapartman[.]hu - Post-infection callback from CryptoWall 3.0 ransomware
• 209.251.58[.]142 port 80 - husseinbahadi[.]com - Post-infection callback from CryptoWall 3.0 ransomware

 

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-22 16:55:10 UTC - forum.freeadvice[.]com - GET /
• 2015-07-22 16:55:11 UTC - skalelinasa[.]com - GET /xPtZLKkY-zXm_SMsIq-/oY.php?s-L0lR=6ue769&Z=de9-b_-0&weQhz9=_8PaQKc-e2&PeK=a3

 

NUCLEAR EK:

• 2015-07-22 16:55:14 UTC - omapsget[.]link - GET /search?q=aD1ZXXU9MAlcCU0JMV0RcV&ESzTK6Y=65ff4a&vuT=08b9ef35e&A8jV=bVZAFV9&cxujlGu=cWTBlcD1ZY

• 2015-07-22 16:55:14 UTC - omapsget[.]link - GET /search?q=bRAZMU0RcVVZAFV9WTBlc&gCU=fQACGgkHCwAFXgwCCQNMAFQA&LszQ=aA0BDRFNfV1NG&
  pDEJ=eQEdC&GIL=dAAYeU&HbSwF=cD1ZYRAYAURYC&AVIoQ=93f74cf7&LbOU=1a5cf3

• 2015-07-22 16:55:16 UTC - omapsget[.]link - GET /search?q=cg9PU05iDWF4bksB&ZagF=aAFFfXUtUCQlYTUsBGg1PV1pRFktUXUMeClFdU0sBVg8dCQ8BSA8KF&
  PCJ=9c120399c0<w=7feb8d&XQKTjPM=bgYHVEQCDAQHUwAHCQYEG

 

POST-INFECTION TRAFFIC CAUSED BY THE CRYPTOWALL 3.0 RANSOMWARE:

• 2015-07-22 16:55:26 UTC - ip-addr[.]es - GET /
• 2015-07-22 16:55:27 UTC - th.kidlander[.]com - POST /wp-content/plugins/wp-db-backup-made/b.php?t=vhe4cw66iab2
• 2015-07-22 16:55:28 UTC - arabella[.]kz - POST /wp-content/plugins/wp-db-backup-made/a.php?x=vhe4cw66iab2
• 2015-07-22 16:55:30 UTC - guypjones[.]com - POST /wp-content/themes/twentyeleven/a.php?x=vhe4cw66iab2
• 2015-07-22 16:55:31 UTC - bibubracelets[.]ro - POST /wp-content/themes/twentytwelve/e.php?x=vhe4cw66iab2
• 2015-07-22 16:55:31 UTC - noracaron[.]com - POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/a.php?f=vhe4cw66iab2
• 2015-07-22 16:55:33 UTC - www.noracaron[.]com - GET /contact/
• 2015-07-22 16:55:34 UTC - fotosoimagenes[.]com - POST /wp-content/plugins/wp-mobile-edition/admin/includes/mobile_themes/mTheme-Unus/images/
  blue/a.php?p=vhe4cw66iab2
• 2015-07-22 16:55:35 UTC - www.fotosoimagenes[.]com - GET /
• 2015-07-22 16:55:40 UTC - hotfrance[.]ru - POST /wp-content/themes/dreamynight-10/a.php?k=vhe4cw66iab2
• 2015-07-22 16:55:41 UTC - africanadvances[.]com - POST /wp-content/plugins/updraftplus/oc/guzzle/Guzzle/Service/Command/LocationVisitor/Request/
  a.php?s=vhe4cw66iab2
• 2015-07-22 16:55:45 UTC - 3dfactorymexico[.]com - POST /foro/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Session/Storage/Handler/
  c.php?d=vhe4cw66iab2
• 2015-07-22 16:55:47 UTC - leooptic[.]ro - POST /wp-content/themes/twentytwelve/c.php?h=vhe4cw66iab2
• 2015-07-22 16:55:48 UTC - beybladeoyunlari[.]org - POST /wp-content/themes/twentytwelve/b.php?z=vhe4cw66iab2
• 2015-07-22 16:56:19 UTC - gachcbv[.]com - POST /plugins/system/plg_system_rewrite/a.php?y=vhe4cw66iab2
• 2015-07-22 16:56:20 UTC - antikerie[.]de - POST /wp-content/plugins/revslider/css/jui/new/images/d.php?x=vhe4cw66iab2
• 2015-07-22 16:56:51 UTC - businesscod[.]com - POST /tmp/e.php?f=vhe4cw66iab2
• 2015-07-22 16:56:52 UTC - ibjja[.]com - POST /blog/wp-content/plugins/scribe/lib/history/views/meta-box/c.php?z=vhe4cw66iab2
• 2015-07-22 16:56:53 UTC - rolandapartman[.]hu - POST /de/wp-content/plugins/wp-db-backup-made/e.php?j=vhe4cw66iab2
• 2015-07-22 16:56:57 UTC - husseinbahadi[.]com - POST /wp-content/uploads/b.php?b=vhe4cw66iab2

 

THIRD EXAMPLE:  OTHER NUCLEAR EK

ASSOCIATED DOMAINS:

• 46.101.63[.]163 port 80 - abgyhutytrecxnme[.]ga - Nuclear EK

 

NUCLEAR EK:

• 2015-07-22 17:39:26 UTC - abgyhutytrecxnme[.]ga - GET /search?q=dd&sD1=bERKT&23ETmb=aUF9WAEhPSQNXAVlQRQQHGVFRXkhaE&fRtY=fQcAlE&qGXso=
  eVF&jxpyAoq=cUNXBkh&yMnaZk=35d68f2&CCmF=4ba67d6d

• 2015-07-22 17:39:27 UTC - abgyhutytrecxnme[.]ga - GET /search?q=aXElCGUABXFVbBkwGD&RoU=51868a&xVQaFDS=6d86e1&jSiwSW=dcHFwMGXUwCDQIFU
  AgFDgcEGVZfCg&rhWKD=cQV9fAB5UWE0DXQQdCAcGSw&iGwYzt=bE0DXQVPWFNVHFhGTUhGF1VQ

• 2015-07-22 17:39:31 UTC - abgyhutytrecxnme[.]ga - GET /search?q=3234e5&JhDKPu=aX1heAExDC1RWDFNPDAROVAgGRVBQAklbTEVLEUJWWklcCF&iIZA=
  34926281&KwpptY=dUBUgULDwYEU0wERWd8KXhYRQA&rIQQxrN=cEDR8AUQhPCA&OyoqI=bUdXlBOVAgHFwAEUR4

 

Click here to return to the main page.