2015-07-16 - BIZCN GATE ACTOR NUCLEAR EK ON 216.170.114[.]126

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-16-BizCN-gate-actor-Nuclear-EK-traffic-2-pcaps.zip
• 2015-07-16-BizCN-gate-actor-Nuclear-EK-malware-and-artifacts.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63[.]163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167[.]124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131[.]131
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114[.]126 (this blog post)

 

TRAFFIC - EXAMPLE 1 OF 2

ASSOCIATED DOMAINS:

• www.texashighways[.]com - Compromised website
• 136.243.25[.]242 port 80 - salsaandlili[.]com - BizCN-registered gate
• 216.170.114[.]126 port 80 - imhed[.]xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-16 14:26:19 UTC - www.texashighways[.]com - GET /events
• 2015-07-16 14:26:19 UTC - salsaandlili[.]com - GET /KoH_iYqh/-/-PS-_jInXu/vzp-TJlH-qNY/kzjgu---T-HnrZoKVUXGqPOJ.js?i_MFc=G3-0Nbp8&
  P6Zyn0qD=e6k82&jWzM=fdby3&He_YaQ=_c9q89_&Ov-bAK=7ed5M&2Ov_eA=5x1Z0-c&-k8s=6

NUCLEAR EK:

• 2015-07-16 14:26:26 UTC - imhed[.]xyz - GET /RAhRGgkYWgkLA1xKSx0Z.html
• 2015-07-16 14:26:27 UTC - imhed[.]xyz - GET /VhwTGk8IARhSGgoYWgkLA1xKSx0ZGg5WHVZQVRZRAUpSUQ4YAlBQUQhRBVNbUEQCX1c
• 2015-07-16 14:26:29 UTC - imhed[.]xyz - GET /VQ0PA0QTX1YfV0RWTw0ODl0AHRwaHERSAUpRVQtKBlZNVw9ST1VXVQ9UBlJUXg4YBBgvAnoTRiYfVw

 

TRAFFIC - EXAMPLE 2 OF 2

ASSOCIATED DOMAINS:

• pistolsmith[.]com - Compromised website
• 136.243.224[.]10 port 80 - burdiacs[.]org - BizCN-registered gate
• 216.170.114[.]126 port 80 - imhed[.]xyz - Nuclear EK

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-16 14:40:35 UTC - pistolsmith[.]com - GET /
• 2015-07-16 14:40:36 UTC - burdiacs[.]org - GET /gqN---ZRi/nkQ-ST-oWixwtR.php?dDu-87--=e42aRe_dmb2pdW8d2-0a_08623ade-ayekfla9n203

NUCLEAR EK:

• 2015-07-16 14:40:48 UTC - imhed[.]xyz - GET /QAYKDkBTT1UfD1UMVgBNHkEe.html
• 2015-07-16 14:40:50 UTC - imhed[.]xyz - GET /VhwTGksGWgwbUURVT1YfD1UMVgBNHkEeT1VaXhZVA1FNVwlcHVVSUkRVB1dUVg1TBVBbGl4IAA

• NOTE: Got Nuclear EK, but no malware payload in this traffic.

 

Click here to return to the main page.