2015-07-17 - BIZCN GATE ACTOR NUCLEAR EK ON 188.166.120[.]33 SENDS CRYPTOWALL 3.0 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-07-17-BizCN-gate-actor-Nuclear-EK-sends-CryptoWall-3.0-ransomware.pcap.zip
• 2015-07-17-BizCN-gate-actor-Nuclear-EK-and-CryptoWall-3.0-ransomware-files.zip

 

NOTES:

• More follow-up traffic & malware for an article I wrote at:  https://isc.sans.edu/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875

• This traffic has the latest Flash exploit (CVE-2015-0522) effective against Flash Player version 18.0.0.203.
• Today, Nuclear EK used by the BizCN gate actor sent CryptoWall 3.0 ransomware as the payload.
• Bitcoin address for this CryptoWall 3.0 ransomware sample's payment was: 14ebF4oEvoqPtCFDASf8ASHv3jGtr41DGP.

• My previous blog posts tracking BizCN gate actor Nuclear EK:

• 2015-07-05 - BizCN gate actor using Nuclear EK  (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
• 2015-07-07 - BizCN gate actor Nuclear EK   (EK on 107.191.63[.]163)
• 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92
• 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29
• 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196
• 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167[.]124
• 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131[.]131
• 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114[.]126
• 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120[.]33 sends CryptoWall 3.0 ransomware  (this blog post)

 

TRAFFIC

ASSOCIATED DOMAINS:

• orlandoinformer[.]com - Compromised website
• 136.243.25[.]241 port 80 - stepanovichon[.]com - BizCN-registered gate
• 188.166.120[.]33 port 80 - andsoresto[.]link - Nuclear EK
• ip-addr[.]es - IP address check by CryptoWall 3.0 ransomware
• 85.204.50[.]99 port 80 - bibubracelets[.]ro - CryptoWall 3.0 ransomware check-in
• 195.210.46[.]104 port 80 - arabella[.]kz - CryptoWall 3.0 ransomware check-in

COMPROMISED WEBSITE AND BIZCN-REGISTERED GATE:

• 2015-07-17 19:57:13 UTC - orlandoinformer[.]com - GET /
• 2015-07-17 19:57:17 UTC - stepanovichon[.]com - GET /mT_n-J/gJ/LsuUHz/TYt/yt.js?V-Qg=740-5T257vbade1Y5_0__b779q2Z1-5bx48G6r6a

NUCLEAR EK:

• 19:57:21 UTC - andsoresto[.]link - GET /QEBQAkoIS1AIUkVWRVQVQlkXW1gIXQ.html
• 19:57:21 UTC - andsoresto[.]link - GET /UkkWSkFIAQUaB0oKS1AIUkVWRVQVQlkXW1gIXUoPAR9XDgEXAQdIBwEOSwBSBQEIAQJWAgdFUV1V
• 19:57:25 UTC - andsoresto[.]link - GET /UVgKU0pORgdSSgdFBE0HWFJKWEMDRUJWGV0PWF1FAQdIBw4OGQdQGAcOAE1XAgUOBgdVBgIISwYaXVl4WUYRQkoI

POST-INFECTION TRAFFIC (CRYPTOWALL 3.0):

• 2015-07-17 19:57:30 UTC - ip-addr[.]es - GET /
• 2015-07-17 19:57:31 UTC - bibubracelets[.]ro - POST /wp-content/themes/twentytwelve/e.php?o=ayua0s9j24f
• 2015-07-17 19:57:31 UTC - arabella[.]kz - POST /wp-content/plugins/wp-db-backup-made/a.php?n=ayua0s9j24f
• 2015-07-17 19:57:44 UTC - bibubracelets[.]ro - POST /wp-content/themes/twentytwelve/e.php?j=075b3yxxzhg8
• 2015-07-17 19:57:44 UTC - arabella[.]kz - POST /wp-content/plugins/wp-db-backup-made/a.php?d=075b3yxxzhg8
• 2015-07-17 19:57:54 UTC - bibubracelets[.]ro - POST /wp-content/themes/twentytwelve/e.php?l=856g0fy7a8nz2
• 2015-07-17 19:57:55 UTC - arabella[.]kz - POST /wp-content/plugins/wp-db-backup-made/a.php?d=856g0fy7a8nz2
• 2015-07-17 19:58:10 UTC - bibubracelets[.]ro - POST /wp-content/themes/twentytwelve/e.php?o=bvortsts8z
• 2015-07-17 19:58:11 UTC - arabella[.]kz - POST /wp-content/plugins/wp-db-backup-made/a.php?e=bvortsts8z

 

Click here to return to the main page.