ISC StormCast for Thursday, October 1st 2015, (Thu, Oct 1st)

 SANS Internet Storm Center, Security Alerts  Comments Off on ISC StormCast for Thursday, October 1st 2015, (Thu, Oct 1st)
Sep 302015
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Recent trends in Nuclear Exploit Kit activity, (Thu, Oct 1st)

 SANS Internet Storm Center, Security Alerts  Comments Off on Recent trends in Nuclear Exploit Kit activity, (Thu, Oct 1st)
Sep 302015


Since mid-September 2015, Ive generated a great deal of Nuclear exploit kit (EK) traffic after checking compromised websites. This summer, I usually foundAngler EK. Now Im seeing more Nuclear.

Nuclear EK has alsobeen sending dual payloads. Idocumented dual payloads at least three times last year [1, 2, 3], but I hadnt noticed it again from Nuclear EKuntil recently. This time,one of the payloadsappears to beransomware. I sawFilecoder on 2015-09-18[4] and TeslaCrypt 2.0 on 2015-09-29[5]. In both cases,ransomware was a componentof the dual payloads from Nuclear EK.

To be clear, Nuclear EK isnt always sendingtwo payloads,but Ive noticed a dual payload trendwith this recent increase in Nuclear EK traffic.

Furthermore, on Wednesday 2015-09-30, the URL patternfor Nuclear EKs landing page changed. With that in mind, lets take a look at whats happening with Nuclear.

URL patterns

The images below show some examples of URL patterns for Nuclear EK">Shown above: Some URLsfrom Nuclear EK on 2015-09-15. Pcap" />
Shown above: Some URLs from Nuclear EK on 2015-09-16. ">Shown above: Some URLsfrom Nuclear EK on 2015-09-18. Pcap">Shown above: Some URLs from Nuclear EK on 2015-09-22. Pcap">Shown above: Some URLs from Nuclear EK on 2015-09-29.Pcapavailable here.

In the above images, the initial HTTP GET request always starts with /search?q= for the landing page URL. ">Shown above: Some URLs fromNuclear EK on 2015-09-30.

The initial HTTP GET request now starts with /url?sa= instead of">for the landing page URL. I saw the same thing from three different examples of Nuclear EK on 2015-09-30. Windows hosts from these examplesall had the exact">Nuclear EK examples from 2015-09-30

I had some trouble infectinga Windows 7 host running IE 11. ">The browser always crashed before the EK">payload was sent. SoI tried three different configurations to generate traffic for this diary. The first run hadaWindows 7 host running IE 10. The second run had a Windows 7 host runniningIE 8. The third run had a Windows 7 host running IE 11. All hosts were running">I found a compromised website withan injected iframe leading to Nuclear EK. The screenshot below shows an example of themalicious script at the bottom of the page. Itsright before the closing body and HTML tags. Youll" />
Shown above: ">The first run used IE 10 with Flash player " />
Shown above: Desktop background from the infected host.

Decrypt instructions were left as a text file on the desktop. The authors behind this ransomwareused [email protected] and [email protected] as email addresses for further decryption" />
Shown above: Decryption instructions from the ransomware.

Playing around with the pcap in Wireshark, I got a decent representation of the traffic. Below, youll see the compromised website, Nuclear EK on, and some of the post infection traffic. TLS activityon ports 443 and 9001 with random characters for the server names is Tor traffic. Several other attempted TCP connections can be found in the pcap, but none of those were successful, and theyre not shown below. " />
Shown above: Some of the infection traffic from the pcap in Wireshark (from a Windows host usingIE 10 and Flash player

Below are alerts on the infection traffic when Iused tcpreplay onSecurity Onion with the EmergingThreats(ET)and ET Pro">Shownabove: Alerts from the traffic using Sguil in Security Onion.

For the second run, Iinfecteda different Windows host running IE 8 and Flash player This generatedNuclear EK from from the same IP address and a slightly different domain name. however, I didt see the same traffic that triggered" />
Shown above: Nuclear EK traffic using IE 8 and Flash player

For the third run, I used a Windows host with IE 11 and Flash player As mentioned earlier, the browser would crash before the EK sent the payload, so this host didnt get infected with malware. I tried it once with Flash player and once without Flash player, both times running an unpatched version of IE 11. Each time, the browser crashed. Nuclear EK was still using the same IP address, butdifferent domain names were different. Within a 4 minute timespan on the pcap,youll find" />
Shown above: Nuclear EK traffic using">1 and Flash"> Tried twice but">below">Shown" />
Shown" />
Shown above: Nuclear EK sends the secondmalware payload.

Other than the landing page URL patternand dual payload,Nuclear EK looks remarkably similar to the last time we reviewed itin August 2015 [6].

Preliminary malware analysis

The first and second runs generated a full infection chain and post-infection traffic. The malware payload was the same during the first and second run. The first run had additional malware on the infected host. The third run using IE 11 didnt generate any malware payload.

Nuclear EK malware payload 1 of 2:

%d bloggers like this: