2015-07-14 - BIZCN GATE ACTOR NUCLEAR EK ON 108.61.167[.]124
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2015-07-14-BizCN-gate-actor-Nuclear-EK-traffic.pcap.zip
- 2015-07-14-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip
NOTES:
- More follow-up traffic & malware for an article I wrote at: https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875
- My previous blog posts tracking BizCN gate actor Nuclear EK:
- 2015-07-05 - BizCN gate actor using Nuclear EK (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
- 2015-07-07 - BizCN gate actor Nuclear EK (EK on 107.191.63[.]163)
- 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92
- 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29
- 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196
- 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167[.]124 (this blog post)
TRAFFIC
ASSOCIATED DOMAINS:
- www.nano-reef[.]com - Compromised website
- 136.243.224[.]10 port 80 - omaidett[.]com - BizCN-registered gate
- 108.61.167[.]124 port 80 - andrian2[.]xyz - Nuclear EK
COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:
- 2015-07-14 11:37:04 UTC - www.nano-reef[.]com - GET /
- 2015-07-14 11:37:05 UTC - omaidett[.]com - GET /zgGn/hU-QzrJV-mI-__TlntuK/KPyjZN_UisWH-vulp.js?sw=1Yf8&FCPcq-R-O=-cd5&qGtZ=m6lem1&5-FCtoN2-=bTcXfj&
hB=daK7
NUCLEAR EK:
- 2015-07-14 11:37:08 UTC - andrian2[.]xyz - GET /DhQMVBZfGlQaAA9XFAwHD1MdHhwc.html
- 2015-07-14 11:37:09 UTC - andrian2[.]xyz - GET /Ax0WHQlCDFARDR0CGlcaAA9XFAwHD1MdHhwcHVcFSFReVk8FXktUUlhPV1FVV1kEVV1UWR1VClY
- 2015-07-14 11:37:09 UTC - andrian2[.]xyz - GET /AAwKBB1bFw9TFg1PVxlUHQBdAhcPAA8BSB0fGx0FUEtXWVYdUF1IU1IKGlRSUlcLUVZeU1lPUxkCDStXFxlX
- 2015-07-14 11:37:28 UTC - andrian2[.]xyz - GET /AAwKBB1bFw9TFg1PVxlUHQBdAhcPAA8BSB0fGx0FUEtXWVYdUF1IU1IKGlRSUlcLUVZeU1lPURkCDStXFxlX
Click here to return to the main page.