2014-09-08 - NUCLEAR EK FROM 151.236.216[.]177 - BUBLEROSKA.SMART-SIMCHAH[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-09-08-Nuclear-EK-traffic.pcap.zip
• 2014-09-08-Nuclear-EK-malware.zip

 

NOTES:

• The redirect pointing to this Nuclear EK ends with 16.html instead of 15.html or some variation as we've seen in the previous few weeks.
• The malware payload pushes out pharmacy spam.  It triggers ET rules for Win32/Tofsee, and some of the anti-virus vendors call this malware "Dorifel".
• I saw a redirect (gate) URL for Nuclear EK ending with 13.html in early June 2014.  I'm guessing this is the same actor.

 

PREVIOUS BLOG ENTRIES ON NUCLEAR EK FROM THIS ACTOR:

• 2014-09-08 - Nuclear EK from 151.236.216[.]177 - bubleroska.smart-simchah[.]com -- gate: 178.62.147[.]65 - digirosmut.okephone[.]com/eghrhtrhfdgrehh16.html
• 2014-09-04 - Nuclear EK from 80.85.84[.]188 - afridun.autoth[.]com -- gate: 178.62.147[.]62 - puperlikis.taylormadecookies[.]com/ablousdec15.html?%a
• 2014-09-03 - Nuclear EK from 80.85.84[.]142 - giodulder.laurentiucozma[.]ro -- gate: 178.62.147[.]62:80 - ibirtused.nor-365[.]com/ravuekafo15.html
• 2014-08-28 - Nuclear EK from 80.85.84[.]142 - giodulder.laurentiucozma[.]ro -- gate: 178.62.156[.]134:80 - nikajumet.solutionoptic[.]com[.]ar/troisegahol15.html?
• 2014-08-17 - Nuclear EK from 176.58.126[.]215 - gegosima.rubiaguru[.]com[.]ar -- gate: 178.62.174[.]18:80 - exitalis.hulme[.]ca/bubahetar.cgi?15
• 2014-08-01 - Nuclear EK from 85.159.213[.]246 - paraletas.patmos-star[.]com -- gate: 95.85.17[.]107:80 - cucnaterafos.amtranexperts[.]com/roriskajetas15.html
• 2014-07-10 - Nuclear EK from 93.189.40[.]229 - gumeno.yahooaple[.]com -- gate: 188.226.208[.]231 - gosinaj.cynthiamartinez[.]com[.]ar/link15.hotbox
• 2014-06-02 - Nuclear EK from 80.240.139[.]203 - brozdec.uneekstudio[.]com -- gate: 80.240.139[.]203 - brozdec.uneekstudio[.]com/jtrsuyowertdhsrtj13.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 66.147.244[.]97 - www.sandalwoodmedical[.]ca - Compromised website
• 178.62.147[.]65 - digirosmut.okephone[.]com - Redirect
• 151.236.216[.]177 - bubleroska.smart-simchah[.]com - Nuclear EK
• various IP addresses - Post-infection traffic and pharmacy spam (see below)

 

COMPROMISED WEBSITE AND REDIRECT:

• 20:47:48 UTC - 66.147.244[.]97:80 - www.sandalwoodmedical[.]ca - GET /contact-us/
• 20:47:48 UTC - 66.147.244[.]97:80 - www.sandalwoodmedical[.]ca - GET /wp-includes/js/comment-reply.min.js?ver=3.9.2
• 20:47:49 UTC - 178.62.147[.]65:80 - digirosmut.okephone[.]com - GET /eghrhtrhfdgrehh16.html

 

NUCLEAR EK:

• 20:47:49 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /88729d83lfafyn/1/9ffbf35e4190fbba62f70c8477fa3964.html
• 20:47:54 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /894761368/2/1410209280.swf
• 20:47:55 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /f/2/1410209280/894761368/7
• 20:47:59 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - HEAD /894761368/2/1410209280.htm
• 20:47:59 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /894761368/2/1410209280.htm
• 20:48:35 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /894761368/2/1410209280.jar
• 20:48:35 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /f/2/1410209280/894761368/2
• 20:48:36 UTC - 151.236.216[.]177:80 - bubleroska.smart-simchah[.]com - GET /f/2/1410209280/894761368/2/2

 

POST-INFECTION TRAFFIC:

• 20:48:23 UTC - 111.121.193[.]238:443 - encrypted TCP stream
• 20:48:54 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:49:00 UTC - 173.194.115[.]114:80 - www.google[.]com - GET /
• 20:49:00 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 20:49:30 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:50:02 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:50:35 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:51:07 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:51:39 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:52:11 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:52:43 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:53:16 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:56:28 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 20:56:45 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 20:56:50 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 20:57:43 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 20:58:18 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:58:50 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:59:22 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 20:59:26 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 20:59:54 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 21:00:02 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:00:14 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:00:27 UTC - 5.104.106[.]42:36569 - encrypted TCP stream
• 21:00:39 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:00:49 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:01:06 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:01:24 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:02:05 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• 21:02:19 UTC - 77.120.103[.]26:4569 - encrypted TCP stream
• The infected host also generated a large amount of SMTP traffic for pharmacy spam (not included in the pcap).  See the image below for an example.

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-09-08-Nuclear-EK-flash-exploit.swf
File size:  5,662 bytes
MD5 hash:  278fe2398a349ee6f22a02dcdeab66aa
Detection ratio:  2 / 55
First submission:  2014-09-05 07:17:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/38708505ab3b8267f5744e82c86d153654d290b99c4fd18ad96dd78ea5f4197b/analysis/

 

JAVA EXPLOIT:

File name:  2014-09-08-Nuclear-EK-java-exploit.jar
File size:  14,138 bytes
MD5 hash:  84a68bd1ae3f71b91fafc0b6d1b7ad29
Detection ratio:  2 / 55
First submission:  2014-09-08 22:25:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7302ebe585d117f7428fabceaf0e2c8b20e590d16fa82e7237a44417c3ec9ef5/analysis/

 

MALWARE PAYLOAD:

File name:  2014-09-08-Nuclear-EK-malware-payload.exe
File size:  151,552 bytes
MD5 hash:  50c5952c549bbfee7d5f34f60b6b000a
Detection ratio:  7 / 55
First submission:  2014-09-08 14:48:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/102bc44f010ad2917e728da4ca0e825512450ed67da22dd2f9ab0b9e6d0bebde/analysis/

 

ALERTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-09-08 20:47:54 UTC - 151.236.216[.]177:80 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2018362)
• 2014-09-08 20:47:55 UTC - 151.236.216[.]177:80 - ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 (sid:2017667)
• 2014-09-08 20:47:55 UTC - 151.236.216[.]177:80 - ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (sid:2013962)
• 2014-09-08 20:47:56 UTC - 151.236.216[.]177:80 - ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile (sid:2009080)
• 2014-09-08 20:47:59 UTC - 151.236.216[.]177:80 - ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (sid:2017774)
• 2014-09-08 20:48:23 UTC - 111.121.193[.]238:443 - ETPRO TROJAN Win32/Tofsee Loader Config Download (sid:2808577)
• 2014-09-08 20:48:35 UTC - 151.236.216[.]177:80 - ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 (sid:2017666)
• 2014-09-08 20:48:35 UTC - 151.236.216[.]177:80 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass (sid:2800029)
• 2014-09-08 20:48:36 UTC - 151.236.216[.]177:80 - ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby (sid:2013036)
• 2014-09-08 20:49:00 UTC - 173.194.115[.]114:80 - ET POLICY Internet Explorer 6 in use - Significant Security Risk (sid:2010706)
• 2014-09-08 20:49:00 UTC - 173.194.115[.]114:80 - ETPRO TROJAN Win32/Tofsee.AX google[.]com connectivity check (sid:2808012)
• 2014-09-08 20:49:00 UTC - 173.194.115[.]114:80 - ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan (sid:2003394)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

• 2014-09-08 20:47:50 UTC - 151.236.216[.]177 - [139:1:1] (spp_sdf) SDF Combination Alert (x2)
• 2014-09-08 20:47:50 UTC - 151.236.216[.]177:80 - [1:31734:1] EXPLOIT-KIT Nuclear exploit kit landing page detection
• 2014-09-08 20:47:55 UTC - 151.236.216[.]177:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-08 20:47:55 UTC - 151.236.216[.]177:80 - [1:28423:1] EXPLOIT-KIT Multiple exploit kit single digit exe detection (x3)
• 2014-09-08 20:47:55 UTC - 151.236.216[.]177:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected (x2)
• 2014-09-08 20:47:59 UTC - 151.236.216[.]177:80 - [1:29186:2] EXPLOIT-KIT Nuclear exploit kit outbound connection
• 2014-09-08 20:48:35 UTC - 151.236.216[.]177:80 - [1:30219:3] EXPLOIT-KIT Nuclear exploit kit outbound jar request
• 2014-09-08 20:48:35 UTC - 151.236.216[.]177:80 - [1:27816:5] EXPLOIT-KIT Multiple exploit kit jar file download attempt
• 2014-09-08 20:48:36 UTC - 151.236.216[.]177:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-09-08 20:48:36 UTC - 151.236.216[.]177:80 - [1:25042:3] EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit
• 2014-09-08 20:48:36 UTC - 151.236.216[.]177:80 - [1:30220:3] EXPLOIT-KIT Nuclear exploit kit outbound payload request
• 2014-09-08 20:51:41 UTC - 5.104.106[.]42:36569 - [129:12:1] Consecutive TCP small segments exceeding threshold (x2)
• 2014-09-08 20:58:43 UTC - 77.120.103[.]26:4569 - [129:12:1] Consecutive TCP small segments exceeding threshold (x3)

 

Click here to return to the main page.