Notes

  • This traffic is consistent with other observed instances of Operation Windigo / the Windigo Group
  • Brad at malware-traffic-analysis.net has covered this for some time, and provides this link for more information on this campaign here
  • Additionally, the method of redirection is a result of what is known as a "Cushion Attack" which can be read in full detail here
  • The malware payload was XOR'd using key text: VSRRTTvRWA, or Hex: 0x56,0x53,0x52,0x52,0x54,0x54,0x76,0x52,0x57,0x41
  • EDIT-04/16 Updated to include actual binary-- Brad at malware-traffic-analysis.net pointed out the true binary after an error on my part-- thanks Brad!
PCAP and Malware
Compromised Domain and Redirects

2015-04-11 10:02:10 UTC - 141.101.118.162 - harakahdaily.net - GET /
2015-04-11 10:02:13 UTC - 42.0.28.85 - myharakah.net - GET /ads/BM _ Top _ FP.php
2015-04-11 10:02:14 UTC - 42.0.28.85 - myharakah.net - GET /ads/css/cycle2/BM _ Top _ FP.css
2015-04-11 10:02:14 UTC - 42.0.28.85 - myharakah.net - GET /ads/js/cycle2/scrollvert.js <- Cushion Redirect to Nuclear EK

Nuclear EK Traffic

2015-04-11 10:02:14 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET /index.php?c=anM9MSZ6ZWx0YW1nPXl4YmpmZiZ0aW1lPTE1MDQxMTA5NTgzNjcxMjM1ODMxJnNyYz0xOTcmc3VybD1teWhhcmFrYWgubmV0JnNwb3J0PTgwJmtleT1DNUJBMzYzNiZzdXJpPS9hZHMvanMvY3ljbGUyL3Njcm9sbHZlcnQuanM=
2015-04-11 10:02:16 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET /watch.php?czue=MTE5NzU5YTZlOTlhNDIyNDY0MGViOWI1M2QzZmFiNDdk
2015-04-11 10:02:16 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET /AkJHC0xNVk9PQFADElVBVgBdCEVXDUJeGwdeDwJYBB1VV0NBDF1fVlFXDEFEXVddTVBZVQ.html
2015-04-11 10:02:18 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET /undefined
2015-04-11 10:02:19 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET / BktGRFdAEgBMRANNV09PQFADElVBVgBdCEVXDUJeGwdeDwJYBB1VV0NBDF1fVlFXDEFEXVddTVBZVUoHVx0ECwMfUgYDFg4CHwICCg4GVwUDCwBNBV8E
2015-04-11 10:02:22 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET /BVpaXUpQEkIFQkoEHwdKQU5XUUJQT1gHD1hAWQNFDEsCUAEFClQYW1lEE1xYUVhWBVxESlNQDx1VV1tNVQcYCgUETQIDDRgJUE8HDAQJVAcADQUHHwZKbmVjMWdiTmRmIg
2015-04-11 10:02:23 UTC - 41.77.113.181 - fknmulaxdl675x8ol2qwpji.couponingforreal.com - GET /favicon.ico

Post-Infection Traffic & Glupteba Checkin

2015-04-11 10:02:29 UTC - 194.19.245.1 - 194.19.245.1:35971 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0000B546&statpass=bpass&version=15150410&features=30&guid=d76534e8-5957-4106-a749-9aa8e44442c4&comment=15150410&p=0&s=
2015-04-11 10:03:05 UTC - 216.58.211.4 - google.com - GET /robots.txt
2015-04-11 10:03:25 UTC - 84.244.183.94 - 84.244.183.94:49721 - GET /stat?uid=100&downlink=1111&uplink=1111&id=00019035&statpass=bpass&version=15150410&features=30&guid=d76534e8-5957-4106-a749-9aa8e44442c4&comment=15150410&p=1&s=108.178.0.146:13208,93.89.239.242:51909,84.244.183.94:49721

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-04-11 10:02:14 UTC - 192.168.27.10:1048 -> 41.77.113.181:80 - ET CURRENT EVENTS Cushion Redirection
2015-04-11 10:02:16 UTC - 192.168.27.10:1048 -> 41.77.113.181:80 - ET CURRENT EVENTS Possible ASPROX Download URI Struct June 19 2014
2015-04-11 10:02:19 UTC - 41.77.113.181:80 -> 192.168.27.10:1075 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF
2015-04-11 10:02:19 UTC - 41.77.113.181:80 -> 192.168.27.10:1075 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-04-11 10:02:29 UTC - 192.168.27.10:1080 -> 194.19.245.1:35971 - ET TROJAN Win32/Glupteba CnC Checkin
2015-04-11 10:03:25 UTC - 192.168.27.10:1087 -> 84.244.183.94:49721 - ET TROJAN Win32/Glupteba CnC Checkin

Traffic Screenshots

Flash Exploit Malware Payload

Preliminary Malware Analysis

Nuclear EK Flash Exploit

Nuclear EK Malware Payload Updated to include actual binary-- Brad at malware-traffic-analysis.net pointed out the true binary after an error on my part:

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates