Introduction
The actor using gates registered through BizCN(alwayswith privacy protection) continues using the Nuclear exploit kit (EK) to deliver malware.
My previous diary on this actor documented the actors switch from Fiesta EK to Nuclear EK in early July 2015 [1]. Since then, the BizCN gate actor briefly switched to Neutrino EK in however, it appears to be using Nuclear EK again.
Our thanksto Paul, who submitted a pcap of">">">actorto the ISC.
Details
Pauls pcap showed us a Google search leading to thecompromised website.In the image below, youcan alsosee" />
Shown above: A pcap of the traffic filtered by HTTP request.
No payload was found inthis EK traffic, so the Windowshost viewing the compromised websitedidnt get infected. The Windows host from this pcapwas running IE 11, and URLs for the EK traffic stop after the last two HTTP POST requests. These URL patterns are what Ive seen every time IE 11 crashes after getting hit with Nuclear EK.
A key thing to remember with the BizCN gate actor is the referer line from the landing page. This will always show the compromised website, and it wont indicate the BizCN-registered gate that gets you there. Pauls pcap didnt include traffic to the BizCN-registered gate, but I found a reference to it in the traffic. " />
Shown above: Flow chart for EK traffic associated with the BizCN gate actor.
How did Ifind the gate in this example? First, I checked the referer on the HTTP GET request to the EK" />
Shown above: TCP stream for the HTTP GET request to the Nuclear EK landing page.
That referer should have injected script pointing to the BizCN gate URL, soI exported that" />
Shown above: " />
Shown above: The object Iexportedfrom the pcap.
I searched the HTML text" />
Shown above: Malicious script in page from the compromised websitepointing to URL on the BizCN-registered gate domain.
The BizCN-registered">perolissan.com, andpingingto itshowed 136.243.25.242 as the IP address. " />
Shown above: Whoisinformation on">perolissan.com.
This completes my flow chart for the BizCN gate actor.The domains associated from Pauls pcapwere:
- www.gm-trucks.com - Compromised website
- 136.243.25.242 - perolissan.com - BizCN-registered gate
- 5.175.130.56 - zezetap.xyz - Nuclear EK
Final words
Recently, Ive hadhard time getting a full chain of infection traffic from theBizCN gate actor. Pauls pcap also had this issue, because there was no payload. However the BizCN gate actor is still active, and many of the compromised websites Ive noted in previous diaries [1, 4] are still compromised.
We continue to track the BizCN gate actor, and well let you know if we discover any significant changes.
---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://isc.sans.edu/forums/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875/
[2] http://malware-traffic-analysis.net/2015/09/11/index.html
[3] http://malware-traffic-analysis.net/2015/09/14/index.html
[4] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631