2015-07-13 - BIZCN GATE ACTOR NUCLEAR EK ON 185.92.220[.]196

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-13-BizCN-gate-actor-Nuclear-EK-traffic-2-pcaps.zip
• 2015-07-13-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
• Today, the BizCN gate actor's Nuclear EK traffic was at 185.92.220[.]196.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63[.]163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS - EXAMPLE 1 OF 2:

• www.longrangehunting[.]com - Compromised website
• 136.243.25[.]241 port 80 - frekassaandme[.]com - BizCN-registered gate
• 185.92.220[.]196 port 80 - joston2[.]xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE - EXAMPLE 1 OF 2:

• 2015-07-13 17:03:42 UTC - www.longrangehunting[.]com - GET /
• 2015-07-13 17:03:43 UTC - frekassaandme[.]com - GET /wVJqGvjH/nuo_xJkNs-P/XjR.js?a_YA=3MaIf&_=0Z7W1&B__jQ5=a1q6&oZw-AH9=H7-3Kf&3=bdfP&
  Z_Eec2--w=dU11&-3yK=L56tG9&C_=18-9&9zv1=dPYf

NUCLEAR EK - EXAMPLE 1 OF 2:

• 2015-07-13 17:04:04 UTC - joston2[.]xyz - GET /ARBXD1oeUx8OWEoWDQ1WGUEbGA.html
• 2015-07-13 17:04:05 UTC - joston2[.]xyz - GET /BxsUS1oRUVsHSwgeUR8OWEoWDQ1WGUEbGB9dAhdTV1dKBQpSTFFQD0VTVlBSDwlVUldQS18OUQ
• 2015-07-13 17:04:05 UTC - joston2[.]xyz - GET /BAoIUkUBEVBcVEVTHlAYXVYRFgwKBRcaGxkYDgxMU1ZQGQtRUk1WAwEeU1dXAQFSVVNQA0VXHgIOYVgoMzssSwg

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• www.visajourney[.]com - Compromised website
• 136.243.25[.]242 port 80 - margaritailles[.]com - BizCN-registered gate
• 185.92.220[.]196 port 80 - joston2[.]xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-13 17:29:37 UTC - www.visajourney[.]com - GET /
• 2015-07-13 17:29:38 UTC - margaritailles[.]com - GET /-IkqzsZMW-wXrG_hLNY/PQjvw/J.php?QkVB-u6K-=l0q5h-86-889J8eU&QAco=be9-c926f5&wd_0uc63D=cj

NUCLEAR EK:

• 2015-07-13 17:29:48 UTC - joston2[.]xyz - GET /DxQATl8VHlIYXVYRFgwKBRcaGxk.html
• 2015-07-13 17:29:48 UTC - joston2[.]xyz - GET /BxsUS1QVBhoCQEVTHlAYXVYRFgwKBRcaGxkYDwlMUFdXGQhVVE1VBAgeU1dXAQFSWlZcD0UEDlA
• 2015-07-13 17:29:49 UTC - joston2[.]xyz - GET /BAoIUkUPFQcdUU4eUx9XS1MNERcLWQtMGhoeSwFSTFFQBBdTVVVKBgpTHlJQBA9aUltRDwEeVx8Gb2kMIzIQSwg
• 2015-07-13 17:29:54 UTC - joston2[.]xyz - GET /BAoIUkUPFQcdUU4eUx9XS1MNERcLWQtMGhoeSwFSTFFQBBdTVVVKBgpTHlJQBA9aUltRDwEeVR8Gb2kMIzIQSwg

 

Click here to return to the main page.