Malware-Traffic-Analysis.net - 2015-01-01 - Nuclear EK (Operation Windigo)

2015-01-01 - NUCLEAR EK (OPERATION WINDIGO) FROM 67.215.2.195 - JKARBQS789VHNMQZN919NHM.EKAY61.COM

ASSOCIATED FILES:

ZIP - PCAP from the infection traffic: 2015-01-01-Windigo-group-Nuclear-EK-traffic.pcap.zip
ZIP - PCAP from malwr.com analysis of Glupteba payload: 2015-01-01-Glupteba-analysis-from-malwr.com.pcap.zip
ZIP - PCAP from running Glupteba payload in a VM: 2015-01-01-Glupteba-run-on-a-VM.pcap.zip
ZIP - associated malware and artifacts: 2015-01-01-Nuclear-EK-malware.zip

NOTES:

Today's malware payload was Glupteba, which is the usual payload for Operation Windigo.
For more information about Operation Windigo, ESET published a report avaialable here.

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

91.109.247.12 - www.celebrityvalley.com - Compromised website
67.215.2.195 - pn24tmg6bxdzvpxgypgvxwt.ekay61.com - Cushion redirect (first domain)
67.215.2.195 - pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com - Cushion redirect (second domain)
67.215.2.195 - jkarbqs789vhnmqzn919nhm.ekay61.com - Nuclear EK
62.212.154.163 - 62.212.154.163 - Glupteba callback traffic over TCP ports 20909 and 44512

COMPROMISED WEBSITE AND URL THAT RETURNED THE REDIRECT:

2015-01-01 01:42:01 UTC - www.celebrityvalley.com - GET /
2015-01-01 01:42:06 UTC - www.celebrityvalley.com - GET /wp-content/themes/swagger/js/plugins.js

CUSHION REDIRECT:

2015-01-01 01:42:07 UTC - pn24tmg6bxdzvpxgypgvxwt.ekay61.com - GET /index.php?b=anM9MSZ1eGJtY3BrZT15amkmdGltZT0xNTAxMDEwMTM3MjMzMjAzNDk1M
CZzcmM9Mjc1JnN1cmw9d3d3LmNlbGVicml0eXZhbGxleS5jb20mc3BvcnQ9ODAma2V5PTI3NjVDQ0Q1JnN1cmk9L3dwLWNvbnRlbnQvdGhlbWVzL3N3YWdnZXIvanMvc
Gx1Z2lucy5qcw==
2015-01-01 01:42:09 UTC - pn24tmg6bxdzvpxgypgvxwt1275597798de83cb36ba750ef5e7e09f9.ekay61.com - GET /get_gift.php

NUCLEAR EK:

2015-01-01 01:42:10 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /V0ZWUUgDT0Y.html
2015-01-01 01:42:11 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /AwoVGwUGAEEOVxlXDlRTBgIDQERTV1YOVFcDHAJBRUhdVlxXVA1OVRtA
2015-01-01 01:42:12 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT0IOFA0PIgY1QQ
2015-01-01 01:42:14 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT0IOEREoBC8bBg
2015-01-01 01:42:14 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /AwoVGwUGAEEOVxlXDlRTBgIDQERTV1YOVFcDHAJBRUhdVlxXVA1OQB4eEAAU
2015-01-01 01:42:16 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT08OFA0PIgY1QQ
2015-01-01 01:42:18 UTC - jkarbqs789vhnmqzn919nhm.ekay61.com - GET /ABsJAkgDB0REGlQaQxlWAAADR0VQUFRCGVYEBR1GRFFLXkJLVQcLT08OEREoBC8bBg

POST-EK TRAFFIC TO ADULTFRIENDFINDER:

2015-01-01 01:42:29 UTC - 01naxtw68121x3lwjuw6z7p.escortbayanlar.pro - GET /get_ads.php?yy=1&aid=2&atr=exts&src=275
2015-01-01 01:42:34 UTC - adultfriendfinder.com - GET /go/p1011105.subexts
2015-01-01 01:42:35 UTC - adultfriendfinder.com - GET /go/page/landing_page_68?nid=14&layout=qna&pid=p1011105.subexts&ip=auto&no_click=1&alpo_redirect=1

POST-INFECTION TRAFFIC IN A VM:

2015-01-01 15:10:36 UTC - 62.212.154.163:20909 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0009368A&statpass=bpass&version=15141228&features=30&
guid=2f4e5a3f-7486-4fc5-9e87-1bef6302cd44&comment=15141228&p=0&s= HTTP/1.0
2015-01-01 15:10:40 UTC - 62.212.154.163:44512 - Glupteba TCP traffic
2015-01-01 15:15:50 UTC - www.google.com - GET /robots.txt
2015-01-01 15:15:51 UTC - attempted TCP connection to 3 different IP addresses over port 25 (RST by server)

SNORT EVENTS - INITIAL INFECTION

Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):

2015-01-01 01:42:07 UTC - 192.168.138.158:49210 - 67.215.2.195:80 - ET CURRENT_EVENTS Cushion Redirection (sid:2017552)
2015-01-01 01:42:08 UTC - 192.168.138.158:52285 - 8.8.8.8:53 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (sid:2018275)
2015-01-01 01:42:11 UTC - 67.215.2.195:80 - 192.168.138.158:49222 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Dec 29 2014 (sid:2020082)
2015-01-01 01:42:11 UTC - 67.215.2.195:80 - 192.168.138.158:49222 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (sid:2019845)
2015-01-01 01:42:12 UTC - 67.215.2.195:80 - 192.168.138.158:49223 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (sid:2019873)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 using tcpreplay:

2015-01-01 01:42:08 UTC - 192.168.138.158:52285 - 8.8.8.8:53 - [1:30272:1] MALWARE-OTHER Unix.Trojan.Onimiki redirected client DNS request
2015-01-01 01:42:11 UTC - 67.215.2.195:80 - 192.168.138.158:49222 - [1:32359:1] FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt
2015-01-01 01:42:12 UTC - 67.215.2.195:80 - 192.168.138.158:49223 - [1:32879:1] EXPLOIT-KIT Nuclear exploit kit payload delivery

SNORT EVENTS - RUNNING GLUPTEBA IN A VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion monitoring the infection traffic using Suricata (not including ET INFO or ET POLICY rules):

2015-01-01 15:10:36 UTC - 192.168.204.137:49158 - 62.212.154.163:20909 - ET TROJAN Win32/Glupteba CnC Checkin (sid:2014293)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 using tcpreplay:

2015-01-01 15:10:36 UTC - 192.168.204.137:49158 - 62.212.154.163:20909 - [1:30977:1] MALWARE-CNC Win.Trojan.Jaik variant outbound connection
2015-01-01 15:10:41 UTC - 62.212.154.163:44512 - 192.168.204.137:various - [1:31603:2] MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client
2015-01-01 15:10:41 UTC - 192.168.204.137:49159 - 62.212.154.163:44512 - [1:31607:1] MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server
2015-01-01 15:10:42 UTC - 62.212.154.163:44512 - 192.168.204.137:49159 - [1:31604:1] MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client
2015-01-01 15:15:12 UTC - 62.212.154.163:44512 - 192.168.204.137:various - [1:31605:2] MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name: 2015-01-01-Nuclear-EK-flash-exploit.swf
File size: 23.0 KB ( 23574 bytes )
MD5 hash: b2caafaffe671c5d01ba8e4639c8b694
Detection ratio: 1 / 54
First submission: 2014-12-29 11:21:03 UTC
VirusTotal link: https://www.virustotal.com/en/file/a4ffa77ead9a12f8c92baf56811c8fecea00318237c14873a4d1365e59383dc0/analysis/

SILVERLIGHT EXPLOIT

File name: 2015-01-01-Nuclear-EK-silverlight-exploit.xap
File size: 18.6 KB ( 19011 bytes )
MD5 hash: 1758856cf438d3e4f6bf9bbba7fa57e7
Detection ratio: 0 / 55
First submission: 2015-01-01 03:17:00 UTC
VirusTotal link: https://www.virustotal.com/en/file/1a9d7563bc019b7563344213f1d70d36c49092a20581581b3829cd6be3deedd1/analysis/

MALWARE PAYLOAD (GLUPTEBA)

File name: 2015-01-01-Nuclear-EK-malware-payload.exe
File size: 113.3 KB ( 116010 bytes )
MD5 hash: 09708c49ffb1556c9b80b3a2dc1f57fe
Detection ratio: 16 / 56
First submission: 2015-01-01 03:17:14 UTC
VirusTotal link: https://www.virustotal.com/en/file/3131530e33f806f9a65879a3948c41cae29acb240687b0bede928d28fd4151bf/analysis/
Malwr link: https://malwr.com/analysis/OGU3MzNmOWY1MTk3NGQzNmJkMGU1YTUzNGVkM2U3ZTc/