2015-07-08 - BIZCN GATE ACTOR NUCLEAR EK ON 108.61.188[.]92

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-08-BizCN-gate-actor-Nuclear-EK-traffic-2-pcaps.zip
• 2015-07-08-BizCN-gate-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• Follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
• This BizCN gate actor Nuclear EK traffic moved from 107.191.63[.]163 (as seen in previous blog posts) to 108.61.188[.]92 (still a Choopa/Vultr IP address).

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63[.]163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92   (EK changes IP)

 

TRAFFIC

ASSOCIATED DOMAINS - FIRST EXAMPLE

• www.shootersforum[.]com - Compromised website
• 136.243.224[.]10 port 80 - spoeract[.]com - BizCN registered gate
• 108.61.188[.]92 port 80 - alefreed[.]ml Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - FIRST EXAMPLE

• 2015-07-08 18:43:05 UTC - www.shootersforum[.]com - GET /
• 2015-07-08 18:43:06 UTC - spoeract[.]com - GET /oqGrg/mIZhGrtN-jUKqpWMXRS/OL-_vjw_oYqJUs/N.js?
  Wz-=0s1-&V-5rF-=b_c&YUBiugOj-=H29j&b7Fk--=f-3Y&vjMFdQ--=6m6y&WawhJ=b6S&jlk_hsqOa=2

NUCLEAR EK - FIRST EXAMPLE

• 2015-07-08 18:43:19 UTC - alefreed[.]ml - GET /Q08LCldMCEtTVV1WS1JXXRZdVQ.html
• 2015-07-08 18:43:19 UTC - alefreed[.]ml - GET /XE9CRUJIAARdRQlMCktTVV1WS1JXXRZdVUsFARYBCw4cCA8DFwYBCEQBDQQECgAAAA4LRV5cCg
• 2015-07-08 18:43:20 UTC - alefreed[.]ml - GET /X15eXERKQQ4BVkQBRQROWFRVX0VXXFweVFtODgAeCAULFwkHChkDCglMCAMBDwsICQ4LAEQFRVlYWlVBUl1OCA

 

ASSOCIATED DOMAINS - SECOND EXAMPLE

• offbeathome[.]com - Compromised website
• 136.243.224[.]10 port 80 - tittiogg[.]com - BizCN registered gate
• 108.61.188[.]92 port 80 - alefreed[.]ml Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - SECOND EXAMPLE

• 2015-07-08 19:00:31 UTC - offbeathome[.]com - GET /2012/09/inexpensive-alternative-housing
• 2015-07-08 19:00:33 UTC - tittiogg[.]com - GET /S-LgqXhIJZ_M-iY_W/njw-VW-Pi/SGwl_sJjvy.js?
  KU6hmi=McmN8w7V76-&EW=57855&ZY4=x005Zxbc-&v4xV0Fue=g3eaRd9

NUCLEAR EK - SECOND EXAMPLE

• 2015-07-08 19:00:42 UTC - alefreed[.]ml - GET /VVFdVkpMCEtTVV1WS1JXXRZdVQ.html
• 2015-07-08 19:00:43 UTC - alefreed[.]ml - GET /XE9CRVRWVlhARQlMCktTVV1WS1JXXRZdVUsACAoeCg8cCA4HFwYLAEQBDQQECgACCQMBRV5cCg
• 2015-07-08 19:00:43 UTC - alefreed[.]ml - GET /X15eXERcX1hdS0QBRQROWFRVX0VXXFweVFtOCwkCFwQKFwkGDhkDAAFMCAMBDwsICwcGCkQFRURTdHZDU0sD
• 2015-07-08 19:00:46 UTC - alefreed[.]ml - GET /X15eXERcX1hdS0QBRQROWFRVX0VXXFweVFtOCwkCFwQKFwkGDhkDAAFMCAMBDwsICwcGCkQHRURTdHZDU0sD

 

Click here to return to the main page.