Unveiling Nuclear EK (I)

When analyzing network traffic, we can often find patterns belonging to the already known Angler EK, Nuclear EK and Magnitude EK.

Normally sold in the black market, an Exploit Kit (EK) is a toolset that automates the exploitation of vulnerabilities on the client, aimed at browsers and plugins that a website can invoke as Adobe Flash Player, Microsoft Silverlight, Adobe Reader, Java, etc., to infect computers while surfing the Internet in what is called drive-by download attacks.

These patterns can be detected by snort rules such as:

ET CURRENT_EVENTS Cushion Redirection
ET CURRENT_EVENTS Possible Nuclear EK Landing URI Struct T1
ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014
ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014

Later, analyzing the navigation logs to find out if the computer has been infected, we can find things like this:

(1) 1431XXXXXX.176   2212 X.X.X.X TCP_MISS/200 59981 GET http://oapsnschmelzsicherung.xxxxxxxx.com/xxxx_xxxxx_stubbornness_uprise/500125099916354311 - ROUNDROBIN_PARENT/ X.X.X.X text/html

(2) 1431XXXXXX.284    351 X.X.X.X TCP_MISS/200 40950 GET http://oapsnschmelzsicherung.xxxxxxxx.com/gUumBTs1ZmB5LXoesyPvFlZqU014qtKBap7VY3eJbtxXK81S - ROUNDROBIN_PARENT/ X.X.X.X application/x-shockwave-flash

(3) 1431XXXXXX.736   1569 X.X.X.X TCP_MISS/200 163950 GET http://oapsnschmelzsicherung.xxxxxxxx.com/Wb_gLKuEtf9-CCiAvIAtEVGnHsOrDIlvJjYBsAo-s2AJ8yv0 - ROUNDROBIN_PARENT/ X.X.X.X application/octet-stream

As we can see, the user’s browser contacts a web (1) that loads a flash object (2). This flash object attempts to exploit a vulnerability in Adobe Flash Player and if successful, downloads a binary file that appears to be a very-bad malware (3) which is executed, infecting the computer.

But is this always the pattern followed? Lately, we have encountered in our SOC the following pattern belonging to Nuclear EK:

(1) 1431XXXXXX.948   2932 X.X.X.X TCP_MISS/200 745 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/index.php? - ROUNDROBIN_PARENT/X.X.X.X text/html

(2) 1431XXXXXX.495   1495 X.X.X.X TCP_MISS/302 509 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/watch.php? - ROUNDROBIN_PARENT/X.X.X.X text/html

(3) 1431XXXXXX.228    730 X.X.X.X TCP_MISS/200 7005 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/SE4AHwUeBFxWC1oIA0RWCkJVU19EVlcQR1YFG1tMVVZXBFcMU0IdEFcQRF5DChwNQFA.html - ROUNDROBIN_PARENT/X.X.X.X text/html

(4) 1431XXXXXX.140    856 X.X.X.X TCP_MISS/200 19268 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/V09AH0gbAksHHwYeBFxWC1oIA0RWCkJVU19EVlcQR1YFG1tMVVZXBFcMU0IdEFcQRF5DChwNQFBMUQNQHAMJTQNUBhkCU05TBgQBUwVUAgQDH1QOAQ - ROUNDROBIN_PARENT/X.X.X.X application/octet-stream

(5) 1431XXXXXX.833    985 X.X.X.X TCP_MISS/200 25634 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/V09BYHT6dy87JNDTYGE5KIdehJHS98bHUJ5wcrNQFBMU5aQNQH2Tase44FJUSGDJFGfhO45MAHdfRAIROAMJsTNUBhkCU05TBgSHY1Ahg3JFYE7HCT - ROUNDROBIN_PARENT/X.X.X.X application/octet-stream

We see some hits with html pages (1)(2)(3) and downloads two binary files (4)(5), but we don’t find the object used to exploit the vulnerability to infect the computer. How did they do that? Does the user have downloaded the executable consciously? Or … the problem is that the object is not identified correctly by the proxy?

To study it carefully, we have sought a similar example in this case: malware-traffic-analysis.net, from where you can download a PCAP file for analysis; Example # 1.

If we open the PCAP with Wireshark, we can filter by http and check that the pattern is similar to what we detected:

-> GET http://on2wyqlx7ny7x9plbfu6vg7.filmizlemefullhd.org/index.php?p=enhwZmJhPWFpeWhvcGsmdGltZT0xNTAyMTExNjM4MzYyNzYyODQ1NCZzcmM9MTc3JnN1cmw9d3d3LnByaW1laGVhbHRoY2hhbm5lbC5jb20mc3BvcnQ9ODAma2V5PTU5QUU1QzE3JnN1cmk9Lw==
<- HTTP/1.1 200 OK

-> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/watch.php?kcppp=MTE3NzU5ODg2Nzk3NjRlY2M0MmJiNDk3M2NmZGVkM2Fl
<- HTTP/1.1 302 Found, Location: http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/BQdXBkRUTQg.html

-> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/BQdXBkRUTQg.html
<- HTTP/1.1 200 OK

-> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs
<- HTTP/1.1 200 OK

-> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/BV4NBkQDAQ9SHwMfBh1SDFcCDwBRBVcHHVUOSwABAE0FUBlQUg0ZBkVnFHwARhgzRFc
<- HTTP/1.1 200 OK

Now we can parse the HTML of each page to understand how it works by extracting them with Wireshark: File / Export Objects / HTTP.

In the next post, we will analyze these files.


See also in:


  1. Maite Moreno says

    Nice post Adrian!

  2. Adrián Macías says

    Thanks :)