2015-02-11 - WINDIGO GROUP NUCLEAR EK

ASSOCIATED FILES:

• ZIP of the pcaps:  2015-02-11-Windigo-Group-Nuclear-EK-all-3-pcaps.zip
• ZIP of the malware:  2015-02-11-Windigo-Group-Nuclear-EK-malware.zip

 

NOTES:

For more information about Operation Windigo, ESET published a report available here.

 

A key indicator for Operation Windigo is traffic that triggers the EmergingThreats alert ET CURRENT_EVENTS Cushion Redirection (sid:2017552)

 

Here are IP addresses and domains I've noticed for cushion redirection so far this year (ones not previously posted on this blog):

• 2015-01-13 19:41 UTC - 147.52.82.14 - kb99620dyrwcw362xeuxgxl.avantajsepeti.com
• 2015-01-19 18:33 UTC - 41.77.113.241 - fbno0lxhdl0b9o8jlmkapji.pasa-konaklari.com
• 2015-02-01 17:40 UTC - 192.210.50.30 - 8h6gwzm98f6jd4wz23alii.multitekservisi.com
• 2015-02-02 20:26 UTC - 188.40.162.97 - yiyij1wr6ln5ok7kd0pqptl.serinova.av.tr
• 2015-02-03 19:09 UTC - 95.154.166.120 - q1emcieunrhvrln3d9gejnf.balmina.com
• 2015-02-09 01:00 UTC - 5.39.98.0 - ldci5g6gdvc22g3wobdkzhg.sembolferforje.com
• 2015-02-09 21:48 UTC - 108.178.39.50 - jfxh1jnieikf6hrefbhcdxi.seyahatdefteri.com
• 2015-02-09 23:28 UTC - 108.178.39.50 - hv1nhh4j1vta2bo1v2tg2ij.syaivo.org

 

In today's Nuclear EK traffic, the Flash exploit was the same all three times:

• 2015-02-11-Windigo-Group-Nuclear-EK-flash-exploit.swf   -   MD5 hash: 6f7b6c70739822e804d1d25b3329ba22

 

But the landing pages and malware payloads were different each time:

• 2015-02-11-Windigo-Group-Nuclear-EK-landing-page-example-01.txt - MD5 hash: cb13f231d210972c8556617549bd281a
• 2015-02-11-Windigo-Group-Nuclear-EK-landing-page-example-02.txt - MD5 hash: d502692f6e958e53dc7fa0b4af07d1fc
• 2015-02-11-Windigo-Group-Nuclear-EK-landing-page-example-03.txt - MD5 hash: ecb1c1131cac64b254f1bf8b2d5af785
• 2015-02-11-Windigo-Group-Nuclear-EK-malware-payload-example-01.exe - MD5 hash: 465d0219b4834a79145c6eac6498cf6c
• 2015-02-11-Windigo-Group-Nuclear-EK-malware-payload-example-02.exe - MD5 hash: 3b1231f9109efafd8d7d5b95115dd252
• 2015-02-11-Windigo-Group-Nuclear-EK-malware-payload-example-03.exe - MD5 hash: 9c66b528aff41e103a479e3fe717d2d4

 

The malware payload appears to be the same basic file, just changed enough for a different file hash.

 

filestore72.info has been compromised by the Windigo Group and is generating the Cushion redirect.  This domain is normally used to push fake Java updates and similar files:

 

TODAY'S TRAFFIC

ASSOCIATED DOMAINS:

• 67.222.18.12 port 80 - www.primehealthchannel.com - Compromised website leading to Cushion redirect
• 67.192.7.1 port 80 - forums.mightycarmods.com - Compromised website leading to filestore72.info
• 66.199.231.59 port 80 - filestore72.info - Compromised website leading to Cushion redirect
• 50.116.3.10 port 80 - [23 characters].filmizlemefullhd.org - Cushion redirect
• 50.116.3.10 port 80 - [23 characters].filmtane.com - Nuclear EK

 

COMPROMISED WEBSITE AND CUSHION REDIRECT CHAIN - EXAMPLE 1:

• 2015-02-11 16:39:21 UTC - www.primehealthchannel.com - GET /
• 2015-02-11 16:39:22 UTC - on2wyqlx7ny7x9plbfu6vg7.filmizlemefullhd.org - GET /index.php?p=enhwZmJhPWFpeWhvcGsmdGltZT0xNTAyMTExNjM4MzYyNzYyODQ1NC
  ZzcmM9MTc3JnN1cmw9d3d3LnByaW1laGVhbHRoY2hhbm5lbC5jb20mc3BvcnQ9ODAma2V5PTU5QUU1QzE3JnN1cmk9Lw==
• 2015-02-11 16:39:23 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane.com - GET /watch.php?kcppp=MTE3NzU5ODg2Nzk3NjRlY2M0MmJiNDk3M2NmZGVkM2Fl

NUCLEAR EK - EXAMPLE 1:

• 2015-02-11 16:39:23 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane.com - GET /BQdXBkRUTQg.html
• 2015-02-11 16:39:24 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane.com - GET /Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs
• 2015-02-11 16:39:26 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane.com - GET /BV4NBkQDAQ9SHwMfBh1SDFcCDwBRBVcHHVUOSwABAE0FUBlQUg0ZBkVaLVcSWzAXWj0
• 2015-02-11 16:39:28 UTC - zvqumcs1tsfct4sjvzot3p9.filmtane.com - GET /BV4NBkQDAQ9SHwMfBh1SDFcCDwBRBVcHHVUOSwABAE0FUBlQUg0ZBkVnFHwARhgzRFc

 

COMPROMISED WEBSITE AND CUSHION REDIRECT CHAIN - EXAMPLE 2:

• 2015-02-11 16:53:13 UTC - filestore72.info - GET /download.php?id=1f07dba3
• 2015-02-11 16:53:13 UTC - on2wyqlx7ny7x9plbfu6vg7.filmizlemefullhd.org - GET /index.php?r=eGVobHlpPWRxd3F3dSZ0aW1lPTE1MDIxMTE2Mzg0MzkwNjU1MTMmc3
  JjPTc2JnN1cmw9ZmlsZXN0b3JlNzIuaW5mbyZzcG9ydD04MCZrZXk9Mzc3MTBDQTYmc3VyaT0vZG93bmxvYWQucGhwJTNmaWQ9MWYwN2RiYTM=
• 2015-02-11 16:53:13 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane.com - GET /watch.php?gfzb=MTA3NjU5ODg2N2E1OTc3Mjg0MmJiNGE0MmE1NWViODUz

NUCLEAR EK - EXAMPLE 2:

• 2015-02-11 16:53:14 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane.com - GET /Vl4LBxpUHQI.html
• 2015-02-11 16:53:15 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane.com - GET /UR5CHgRdWFYeBU0FGgNWVFZXBFEBCQQaBFRIVFkETAMFGlAEHgAJUw
• 2015-02-11 16:53:17 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane.com - GET /Ug9eBxoHWQoHSABIV05TUldSBVUHBAxWTlRQS1ALVRoGAEgEVBpSHWAKfGBDAFAJ
• 2015-02-11 16:53:19 UTC - 7ujh7hma5mvyh27p5sj9b9x.filmtane.com - GET /Ug9eBxoHWQoHSABIV05TUldSBVUHBAxWTlRQS1ALVRoGAEgEVBpSHXktemd6NmIeVA

 

COMPROMISED WEBSITE AND CUSHION REDIRECT CHAIN - EXAMPLE 3:

• 2015-02-11 17:34:27 UTC - filestore72.info - GET /download.php?id=1f07dba3
• 2015-02-11 17:34:27 UTC - uja1215vdybnvy9zqh5p1ng.filmizlemefullhd.org - GET /index.php?y=cHJnZXlwcT1zZXNucWRpJnRpbWU9MTUwMjExMTcyMzMxMzk4ODY3M
  jYmc3JjPTc2JnN1cmw9ZmlsZXN0b3JlNzIuaW5mbyZzcG9ydD04MCZrZXk9MzExRDdDQkQmc3VyaT0vZG93bmxvYWQucGhwJTNmaWQ9MWYwN2RiYTM=
• 2015-02-11 17:34:30 UTC - bwltnfa1gfzpwv767eiapf9.filmtane.com - GET /watch.php?irejci=MTA3NjU5ODg2N2Y2NjRjMTM0MmJiNDI4YmU3Mzk1MTU3

NUCLEAR EK - EXAMPLE 3:

• 2015-02-11 17:34:30 UTC - 6pltzo1mje3i27lt6v3espp.filmtane.com - GET /VFUFXRkEGQQ.html
• 2015-02-11 17:34:31 UTC - 6pltzo1mje3i27lt6v3espp.filmtane.com - GET /BkhGRFJQVlBFBkhSTAcMVwZTAg8HAFNMAA5LBF0CFwECTQEFARlTCQc
• 2015-02-11 17:34:33 UTC - 6pltzo1mje3i27lt6v3espp.filmtane.com - GET /BVlaXRkCAAZcSwUfAUoJUQdWAw4BBFcASg5TG1QNDhkCVR4HC1xJUklgRUMTVVN-H3w2
• 2015-02-11 17:34:34 UTC - 6pltzo1mje3i27lt6v3espp.filmtane.com - GET /BVlaXRkCAAZcSwUfAUoJUQdWAw4BBFcASg5TG1QNDhkCVR4HC1xJUklaRnkLYVJSJEcZBw

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcaps:  2015-02-11-Windigo-Group-Nuclear-EK-all-3-pcaps.zip
• ZIP of the malware:  2015-02-11-Windigo-Group-Nuclear-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.