Introduction
Since mid-September 2015, Ive generated a great deal of Nuclear exploit kit (EK) traffic after checking compromised websites. This summer, I usually foundAngler EK. Now Im seeing more Nuclear.
Nuclear EK has alsobeen sending dual payloads. Idocumented dual payloads at least three times last year [1, 2, 3], but I hadnt noticed it again from Nuclear EKuntil recently. This time,one of the payloadsappears to beransomware. I sawFilecoder on 2015-09-18[4] and TeslaCrypt 2.0 on 2015-09-29[5]. In both cases,ransomware was a componentof the dual payloads from Nuclear EK.
To be clear, Nuclear EK isnt always sendingtwo payloads,but Ive noticed a dual payload trendwith this recent increase in Nuclear EK traffic.
Furthermore, on Wednesday 2015-09-30, the URL patternfor Nuclear EKs landing page changed. With that in mind, lets take a look at whats happening with Nuclear.
URL patterns
The images below show some examples of URL patterns for Nuclear EK">Shown above: Some URLsfrom Nuclear EK on 2015-09-15. Pcap" />
Shown above: Some URLs from Nuclear EK on 2015-09-16. ">Shown above: Some URLsfrom Nuclear EK on 2015-09-18. Pcap">Shown above: Some URLs from Nuclear EK on 2015-09-22. Pcap">Shown above: Some URLs from Nuclear EK on 2015-09-29.Pcapavailable here.
In the above images, the initial HTTP GET request always starts with /search?q= for the landing page URL. ">Shown above: Some URLs fromNuclear EK on 2015-09-30.
The initial HTTP GET request now starts with /url?sa= instead of">for the landing page URL. I saw the same thing from three different examples of Nuclear EK on 2015-09-30. Windows hosts from these examplesall had the exact">Nuclear EK examples from 2015-09-30
I had some trouble infectinga Windows 7 host running IE 11. ">The browser always crashed before the EK">payload was sent. SoI tried three different configurations to generate traffic for this diary. The first run hadaWindows 7 host running IE 10. The second run had a Windows 7 host runniningIE 8. The third run had a Windows 7 host running IE 11. All hosts were running">I found a compromised website withan injected iframe leading to Nuclear EK. The screenshot below shows an example of themalicious script at the bottom of the page. Itsright before the closing body and HTML tags. Youll" />
Shown above: ">The first run used IE 10 with Flash player 14.0.0.125. " />
Shown above: Desktop background from the infected host.
Decrypt instructions were left as a text file on the desktop. The authors behind this ransomwareused decode010@gmail.com and decode1110@gmail.com as email addresses for further decryption" />
Shown above: Decryption instructions from the ransomware.
Playing around with the pcap in Wireshark, I got a decent representation of the traffic. Below, youll see the compromised website, Nuclear EK on 188.226.215.37, and some of the post infection traffic. TLS activityon ports 443 and 9001 with random characters for the server names is Tor traffic. Several other attempted TCP connections can be found in the pcap, but none of those were successful, and theyre not shown below. " />
Shown above: Some of the infection traffic from the pcap in Wireshark (from a Windows host usingIE 10 and Flash player 14.0.0.125).
Below are alerts on the infection traffic when Iused tcpreplay onSecurity Onion with the EmergingThreats(ET)and ET Pro">Shownabove: Alerts from the traffic using Sguil in Security Onion.
For the second run, Iinfecteda different Windows host running IE 8 and Flash player 11.2.202.228. This generatedNuclear EK from from the same IP address and a slightly different domain name. however, I didt see the same traffic that triggered" />
Shown above: Nuclear EK traffic using IE 8 and Flash player 11.2.202.228.
For the third run, I used a Windows host with IE 11 and Flash player 18.0.0.203. As mentioned earlier, the browser would crash before the EK sent the payload, so this host didnt get infected with malware. I tried it once with Flash player and once without Flash player, both times running an unpatched version of IE 11. Each time, the browser crashed. Nuclear EK was still using the same IP address, butdifferent domain names were different. Within a 4 minute timespan on the pcap,youll find" />
Shown above: Nuclear EK traffic using">1 and Flash">18.0.0.203... Tried twice but">below">Shown" />
Shown" />
Shown above: Nuclear EK sends the secondmalware payload.
Other than the landing page URL patternand dual payload,Nuclear EK looks remarkably similar to the last time we reviewed itin August 2015 [6].
Preliminary malware analysis
The first and second runs generated a full infection chain and post-infection traffic. The malware payload was the same during the first and second run. The first run had additional malware on the infected host. The third run using IE 11 didnt generate any malware payload.
Nuclear EK malware payload 1 of 2:
- File size: 875.7 KB ( 896,670 bytes )
- MD5 hash: ">c39cc580cadffb35e486a5bea669e592
- SHA1 hash:">a7d3166a96894a5d6f250a6ff66a8f66b8b23985
- SHA256 hash: ">9ccbec3dac898da303c5141b4f59224f1fd811b43e41acb96eaea86136786921
- Virus Total - Malwr - ">
- Filesize:">255.0 KB ( 261,120 bytes )
- MD5 hash: ">c13a72cc4da45d8ead2f11960335c83c
- SHA1hash: ">2a9a4d644520843c7acdd734bc17942efcba7eb9
- SHA256hash: ">1408a9dcee3d73a253e1230c3bbb8b267d9c9fa3ca86c634be14de4dd8de17d2
- Virus Total- Malwr- ">
- Filesize:">298.7 KB ( 305,862 bytes )
- MD5 hash: ">60aad3413e9b3fa12f518e2cf05b48b8
- SHA1hash: ">f9644fee0607465b4fb9ebd04f80684a4280fe0f
- SHA256hash: ">863d6cc2cbd99a5fd7daad97b30e92e71b7d03ca230d3d84c042a4e918355c9b
- Virus Total- Malwr- " />
Final words
Like other EKs, Nuclear EK keeps evolving. We will continue to keep an eye on the situation and let you know of any significant developments.
Packet captures of the 2015-09-30 Nuclear EK traffic are available at:
- http://malware-traffic-analysis.net/2015/09/30/2015-09-30-Nuclear-EK-traffic-first-run.pcap
- http://malware-traffic-analysis.net/2015/09/30/2015-09-30-Nuclear-EK-traffic-second-run.pcap
- http://malware-traffic-analysis.net/2015/09/30/2015-09-30-Nuclear-EK-traffic-third-run.pcap
A zip archive of the associated malware and artifacts is available at:
The zip archives are password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.
---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_trafficReferences:
[1] http://www.malware-traffic-analysis.net/2014/05/16/index2.html
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[2] http://www.malware-traffic-analysis.net/2014/05/26/index.html
[3] http://www.malware-traffic-analysis.net/2015/02/01/index.html
[4] http://www.malware-traffic-analysis.net/2015/09/18/index.html
[5] http://www.malware-traffic-analysis.net/2015/09/29/index.html
[6]https://isc.sans.edu/forums/diary/Nuclear+EK+traffic+patterns+in+August+2015/20001/
