2015-09-11 - BIZCN GATE ACTOR NEUTRINO EK FROM 46.108.156[.]189 PORT 32393 - SENDS CRYPTOWALL 3.0 RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSSOCIATED FILES:
- 2015-09-11-BizCN-gate-actor-Neutrino-EK-traffic-sends-CryptoWall-3.0-ransomware-traffic.pcap.zip 412.5 kB (412,459 bytes)
- 2015-09-11-BizCN-gate-actor-Neutrino-EK-and-CryptoWall-3.0-ransomware-files.zip 268.1 kB (268,118 bytes)
NOTES:
- The BizCN gate actor I've been tracking switched from Nuclear EK to Neutrino EK since I last posted about this group.
- Today, the BizCN gate actor sent CryptoWall 3.0 ransomware
- Bitcoin payment address for this CryptoWall 3.0 ransomware sample is: 1GL5LyWc3ZfxSEC2HZjoJoGR2CJhbWPTxp
- My previous blog posts tracking the BizCN gate actor, back when it was doing Nuclear EK:
- 2015-07-05 - BizCN gate actor using Nuclear EK (documenting BizCN gate actor's switch from Fiesta EK to Nuclear EK in June 2015)
- 2015-07-07 - BizCN gate actor Nuclear EK on 107.191.63[.]163 - various domains
- 2015-07-08 - BizCN gate actor Nuclear EK on 108.61.188[.]92 - newsolar[.]ga
- 2015-07-09 - BizCN gate actor Nuclear EK on 104.238.187[.]29 - alefreed[.]ml
- 2015-07-13 - BizCN gate actor Nuclear EK on 185.92.220[.]196 - joston2[.]xyz
- 2015-07-14 - BizCN gate actor Nuclear EK on 108.61.167[.]124 - andrian2[.]xyz
- 2015-07-15 - BizCN gate actor Nuclear EK on 104.207.131[.]131 - foundhere[.]xyz & namesoizze[.]xyz
- 2015-07-16 - BizCN gate actor Nuclear EK on 216.170.114[.]126 - imhed[.]xyz
- 2015-07-17 - BizCN gate actor Nuclear EK on 188.166.120[.]33 - andsoresto[.]link
- 2015-07-30 - BizCN gate actor Nuclear EK on 46.101.18[.]39 - mukasore[.]xyz & florenses[.]xyz
- 2015-08-14 - BizCN gate actor Nuclear EK on 89.238.181[.]74 - free3dprint[.]cf
- 2015-08-19 - BizCN gate actor Nuclear EK on 31.214.157[.]20 - blizfone[.]cf
- 2015-08-28 - BizCN gate actor examples (Nuclear EK on 5.175.196[.]167 - bidgerhol[.]ml)
Shown above: Alerts from Sguil on Security Onion after using tcpreplay on a pcap of today's infection traffic.
TRAFFIC
ASSOCIATED DOMAINS:
- forums.macnn[.]com - Compromised website
- 136.243.224[.]10 port 80 - kroentro[.]com - BizCN-registered gate
- 46.108.156[.]189 port 32393 - wotpga.zukonline[.]xyz - Neutrino EK
- ip-addr[.]es - IP address check by CryptoWall 3.0 ransomware
- 188.121.47[.]1 port 80 - g6securitysystems[.]com - CryptoWall 3.0 ransomware callback
- 74.124.204[.]146 port 80 - essayspro[.]com - CryptoWall 3.0 ransomware callback
- 192.232.249[.]212 port 80 - europe-academy[.]net - CryptoWall 3.0 ransomware callback
- 50.63.95[.]1 port 80 - greenevap[.]com - CryptoWall 3.0 ransomware callback
- 95.128.181[.]13 port 80 - ayh2m57ruxjtwyd5.speralreaopio[.]com - User checking a page for the decrypt instructions
- 95.128.181[.]13 port 80 - ayh2m57ruxjtwyd5.vremlreafpa[.]com - User checking a page for the decrypt instructions
- ayh2m57ruxjtwyd5.wolfwallsreaetpay[.]com - Domain for one of the decrypt instructions pages (didn't resolve in DNS)
- ayh2m57ruxjtwyd5.askhoreasption[.]com - Domain for one of the decrypt instructions pages (didn't resolve in DNS)
COMPROMISED WEBSITE AND REDIRECT:
- 2015-09-11 14:39:38 UTC - forums.macnn[.]com - GET /
- 2015-09-11 14:39:40 UTC - kroentro[.]com - GET /_z_XR--Jom_MQjLSTpKrNvw-/pT-_oZIXxK--GjPhMLw.php?FE7cf=at7&DCP-X0=3d&AzeV=f7_&tL=d0&
iIS=1fJ&-6XV2=ne7&nh9uo=85&pBw-cr=51-&M2aS=dP-4&_T9M=79
NEUTRINO EK:
- 2015-09-11 14:39:41 UTC - wotpga.zukonline[.]xyz:32393 - GET /till/1668395/amuse-stiff-standard-poor-jump-merry-hopeful-describe-dignity-knight
- 2015-09-11 14:39:41 UTC - wotpga.zukonline[.]xyz:32393 - GET /your/Zmt0Ymc
- 2015-09-11 14:39:43 UTC - wotpga.zukonline[.]xyz:32393 - GET /disturb/1060788/manner-weep-yield-march-rusty-since
- 2015-09-11 14:39:43 UTC - wotpga.zukonline[.]xyz:32393 - GET /amidst/1099567/gown-thomas-noble-type-being-loud
- 2015-09-11 14:39:44 UTC - wotpga.zukonline[.]xyz:32393 - GET /pant/ZnNpb3N6Yms
POST-INFECTION TRAFFIC CAUSED BY THE CRYPTOWALL 3.0 RANSOMWARE PAYLOAD:
- 2015-09-11 14:40:10 UTC - ip-addr[.]es - GET /
- 2015-09-11 14:40:11 UTC - g6securitysystems[.]com - POST /js/ap4.php?u=1rn6826qnv6955
- 2015-09-11 14:40:13 UTC - g6securitysystems[.]com - POST /js/ap4.php?h=8w1ij5m720mwm
- 2015-09-11 14:40:17 UTC - g6securitysystems[.]com - POST /js/ap4.php?k=ssws25wpv4f
- 2015-09-11 14:40:27 UTC - g6securitysystems[.]com - POST /js/ap4.php?j=m3f5emniccq9
- 2015-09-11 14:40:28 UTC - essayspro[.]com - POST /css/fonts/ap4.php?k=m3f5emniccq9
- 2015-09-11 14:40:33 UTC - europe-academy[.]net - POST /wp-admin/user/ap2.php?c=m3f5emniccq9
- 2015-09-11 14:40:36 UTC - greenevap[.]com - POST /mtqzpa/templates/ap5.php?i=m3f5emniccq9
THE USER TRYING TO VIEW EACH OF THE WEB PAGES FOR THE CRYPTOWALL 3.0 RANSOMWARE DECRYPT INSTRUCTIONS (ALL 4 OF THEM):
- 2015-09-11 14:40:42 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /[information removed]
- 2015-09-11 14:40:44 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/style.css
- 2015-09-11 14:40:44 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/flags/us.png
- 2015-09-11 14:40:45 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/flags/es.png
- 2015-09-11 14:40:45 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/flags/de.png
- 2015-09-11 14:40:45 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/flags/it.png
- 2015-09-11 14:40:45 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/flags/fr.png
- 2015-09-11 14:40:45 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /picture.php?k=[information removed]&cbcbdb758f54dd280349a331fc51b3a4
- 2015-09-11 14:40:47 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/lb.png
- 2015-09-11 14:40:47 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/rb.png
- 2015-09-11 14:40:47 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/rt.png
- 2015-09-11 14:40:47 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/lt.png
- 2015-09-11 14:40:49 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /favicon.ico
- 2015-09-11 14:40:53 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - POST /[information removed]
- 2015-09-11 14:40:54 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/bitcoin.png
- 2015-09-11 14:40:56 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/button_pay.png
- 2015-09-11 14:41:04 UTC - ayh2m57ruxjtwyd5.speralreaopio[.]com - GET /img/button_pay_sel.png
- 2015-09-11 14:41:24 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /[information removed]
- 2015-09-11 14:41:26 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/style.css
- 2015-09-11 14:41:26 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/flags/us.png
- 2015-09-11 14:41:27 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/flags/fr.png
- 2015-09-11 14:41:27 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/flags/it.png
- 2015-09-11 14:41:27 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/flags/es.png
- 2015-09-11 14:41:27 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/flags/de.png
- 2015-09-11 14:41:27 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /picture.php?k=[information removed]&5633a89c802878b092604ca1d8c5727a
- 2015-09-11 14:41:28 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/lt.png
- 2015-09-11 14:41:29 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/rt.png
- 2015-09-11 14:41:29 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/lb.png
- 2015-09-11 14:41:29 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/rb.png
- 2015-09-11 14:41:31 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /favicon.ico
- 2015-09-11 14:41:34 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - POST /[information removed]
- 2015-09-11 14:41:36 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/bitcoin.png
- 2015-09-11 14:41:36 UTC - ayh2m57ruxjtwyd5.vremlreafpa[.]com - GET /img/button_pay.png
- 2015-09-11 14:41:48 UTC - DNS query for: ayh2m57ruxjtwyd5.wolfwallsreaetpay[.]com (DNS reply: No such name)
- 2015-09-11 14:41:52 UTC - DNS query for: ayh2m57ruxjtwyd5.askhoreasption[.]com (DNS reply: Server failure)
Click here to return to the main page.