2015-07-15 - BIZCN GATE ACTOR NUCLEAR EK ON 104.207.131[.]131

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-15-BizCN-gate-actor-Nuclear-EK-traffic-2-pcaps.zip
• 2015-07-15-BizCn-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63[.]163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167[.]124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131[.]131 (this blog post)

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS:

• www.visajourney[.]com - Compromised website
• 136.243.25[.]242 port 80 - margaritailles[.]com - BizCN-registered gate
• 104.207.131[.]131 port 80 - foundhere[.]xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-15 14:48:30 UTC - www.visajourney[.]com - GET /
• 2015-07-15 14:48:30 UTC - margaritailles[.]com - GET /itmOJ-LhvN-r_yw/PzvO.js?R=ff44foraY1YaLe&Au-=5V7edf1Q30P3j&mojpwB-U=a-6d69QfbkcI_d

NUCLEAR EK:

• 14:48:33 UTC - foundhere[.]xyz - GET /VgIDDFYDTgAeUgoQXFUKURcAHEkbTg.html
• 14:48:34 UTC - foundhere[.]xyz - GET /V0kSSAFWUwlRUhlUTgMeUgoQXFUKURcAHEkbThlTBB9TDFJLBQJMBVZdTgBWB1NcBQBVBVYZVF1R
• 14:48:35 UTC - foundhere[.]xyz - GET /VFgOURkBAVBaBwMZA01QSAMKR18GXAAXVx8aTR8ZBAdMBV1SHAZRGlRWCk1TAFZTCwZTA1RWTgQeRTc2VFANSFQ
• 14:48:38 UTC - foundhere[.]xyz - GET /VFgOURkBAVBaBwMZA01QSAMKR18GXAAXVx8aTR8ZBAdMBV1SHAZRGlRWCk1TAFZTCwZTA1RWTgYeRTc2VFANSFQ

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• www.taurusarmed[.]net - Compromised website
• 148.251.187[.]233 port 80 - risalerr[.]org - BizCN-registered gate
• 104.207.131[.]131 port 80 - namesoizze[.]xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-15 15:43:02 UTC - www.taurusarmed[.]net - GET /forums/firing-line/62280-snub-nose-revolvers.html
• 2015-07-15 15:43:03 UTC - risalerr[.]org - GET /gNz_ps--TZ-J_UHMkjLG/-hW--MoNKQZigYStvO_/HgsYoW-G_.php?O5VJBXz0=be-m0dT45mcdMfn164Y18cad0196M-f-2-d

NUCLEAR EK:

• 2015-07-15 15:43:11 UTC - namesoizze[.]xyz - GET /UARERFBIVgBbXRJbURtMXU9MQRs.html
• 2015-07-15 15:43:12 UTC - namesoizze[.]xyz - GET /XRlGRAlRSh0HRFNIVgBbXRJbURtMXU9MQRtKC1AaC08HDVQaClAFRFAAC1cPD1UNAVBKXg0H

• NOTE: No malware payload was passed for this run (instead, the web browser crashed).

 

Click here to return to the main page.