SANS Internet Storm Center, InfoCON: green: Nuclear EK traffic patterns in August 2015, (Wed, Aug 5th)

Introduction

About two weeks ago, Nuclear exploit kit (EK)changed its URL patterns. Now it looks a bit likeAngler EK. Kafeine originally announced the change on 2015-07-21 [1], and we collected examples the next day.

Heres how Nuclear EK looked on" />

Here" />

Now that were into August 2015,URL patterns for Nuclear EK have altered again. These changes are similar to whatweve seen withAngler EK since June 2015 [3]. Theyre not the same URL patternsas Angler, but the changes are similar.

In todays diary, weexamine Nuclear EKtraffic as of Tuesday, 2015-08-04. In this example, the EK delivered Troldesh ransomware, which is similar to a previous infection I publishedearlier this year in April 2015[4].

First, lets see how the 2015-08-04 traffic from a compromised website led to Nuclear EK.

From a compromised web site to the EK

I viewed the compromised website by getting to it through a Bing search, which is my preferred method for generating EK traffic. Google had already identified the site as potentially malicious and wouldn" />

Malicious javascript was injected in at least 4 places when I visited the sites index page. The script is obfuscated, so you wont see any obvious URLs. I" />

Whats the easiestway to deobfuscate the script? Copy and paste the script into its own HTML file, make sure you" />

Open the resulting web page in a browser, and you should see an alert showing the deobfuscated script. From the aboveexample, we finda hidden iframe that goes to mobi-avto.ru." />

With any EK, this all happens behind the scenes. The average user wont know what happened until its too late. With ransomware, users will realize something" />
Shown above: The infected hosts desktop after the Troldesh ransomware infection.

A look at theNuclear EK traffic

On 2015-07-21 when Nuclear changed, each GET request from the EK started with search?q=. URL patterns remained that way through at least 2015-07-30 [5]. A few days later, the landing page URL still containssearch?q=. However, other URLs for the Flash exploit and payload use different words.They also follow a differentpattern after the question mark (?) up to the equal sign (=). Below shows our example of" />

In the 2015-08-04 traffic,Nuclear EKs landing page has some text before the initialHTML tag. This is something wehadn" />

Except for the change in the URL pattern, this HTTP GETrequest for the EKs Flash exploit is similar to what we" />

Nuclear EK still uses an ASCII string to XOR the payload binary. This started with Nuclears previous change of URL patterns back in December 2014 [6], and it remains the EK" />

Review the infection traffic using Security Onion with the EmergingThreats signature set, and youll find" />

Additional information from the infected host

Filtering the traffic in Wireshark, we see SSL activity to 216.230.230.247 over port 443 and 193.111.140.118 over port 995. Although this traffic is related to the Troldesh ransomware,those IP addressesarenot inherently malicious. " />

The README text files fromthe desktop were identical. " />

Hey,Google. Someone is using Gmail accounts for nefarious purposes. Bet you havent seen that before! Ah, free services... A cyber-criminals delight!

Final words

In recent months, weve seen a lot of ransomware from EK traffic. This has been primarily (but not limited to)Angler, Magnitude, and NuclearEK. Most of the ransomware has been CryptoWall 3.0 [7], but every once in a while, well see something like AlpaCrypt/TeslaCrypt[8]or Toldesh [4]. Well continue to monitor EK traffic andpost any significant changes.

A pcap of the 2015-08-04 Nuclear EK infection traffic is available at: