Notes
  • Quick update on some Nuclear EK activity observed on Threatglass
  • Brad at malware-traffic-analysis.net has covered this for some time, and provides this link for more information on this campaign here
  • Additionally, the method of redirection is a result of what is known as a "Cushion Attack" which can be read in detil here
  • Malware payload was XOR'd with string 'YjaGEnqp' / 0x59,0x6a,0x61,0x47,0x45,0x6e,0x71,0x70
PCAP and Malware
Compromised Domain and Redirects

2015-06-13 03:49:02 UTC - 218.93.127.106 - aguo.com - GET /
2015-06-13 03:49:03 UTC - 218.93.127.106 - www.aguo.com - GET /
2015-06-13 03:49:03 UTC - 218.93.127.106 - www.aguo.com - GET /d/js/acmds/thea2.js
2015-06-13 03:49:03 UTC - 67.212.169.38 - 5gllwhe8nkchck1pbdm7lwg.sohbet55.org - GET /index.php?o=anM9MSZxcnJsdHRoPWRsbHcmdGltZT0xNTA2MTMwMzQ0ODkzOTU0NDQ2JnNyYz0zNCZzdXJsPXd3dy5hZ3VvLmNvbSZzcG9ydD04MCZrZXk9RjMzMTNFMDkmc3VyaT0vZC9qcy9hY21zZC90aGVhMi5qcw==
2015-06-13 03:49:06 UTC - 67.212.169.38 - 5gllwhe8nkchck1pbdm7lwg.sohbet55.org - GET /watch.php?gbvx=MTAzNDU5YzViOWFkNzUwZTE0MGViOWI1MGNmN2JlMjhm

Nuclear EK Traffic

2015-06-13 03:49:07 UTC - 67.212.169.38 - fznqyd99wjbqsd1kcdburrj.sohbet55.org - GET /WUYBQ10fBkhRSQoSSlAOChMJUUVEV1UIUFBVRhYRWRpEXAwBVkACBkoMQVM.html
2015-06-13 03:49:07 UTC - 67.212.169.38 - fznqyd99wjbqsd1kcdburrj.sohbet55.org - GET /VkxHTw4RBUQOT1EfB0hRSQoSSlAOChMJUUVEV1UIUFBVRhYRWRpEXAwBVkACBkoMQVNLBVBNAQcCHVVWBhoPAxhSBwcDAlJUAAAATwIPAg
2015-06-13 03:49:10 UTC - 67.212.169.38 - fznqyd99wjbqsd1kcdburrj.sohbet55.org - GET /VV1bVhgJQQJHChhWTwBLVR4NQk1TCl0UWVZGQABSWFdTURERQV4ZQAsLUVFDBlFNXEZQT1JXHQYEBkpSBgEZC1QfAgAEB1VVBAcDBBhWT21dUiMmXUV
2015-06-13 03:49:12 UTC - 67.212.169.38 - fznqyd99wjbqsd1kcdburrj.sohbet55.org - GET /favicon.ico

Post-Infection Traffic & Glupteba Checkin

2015-06-13 03:49:33 UTC - 184.154.97.114 - 184.154.97.114 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0000DD31&statpass=bpass&version=21150605&features=30&guid=1e60fd31-e84f-488e-8cdd-62e68389af90&comment=21150605&p=0&s=
2015-06-13 03:50:06 UTC - 173.194.113.84 - www.google.com - GET /robots.txt
2015-06-13 03:50:25 UTC - 184.154.97.114 - 184.154.97.114 - GET /stat?uid=100&downlink=1111&uplink=1111&id=0001AC0A&statpass=bpass&version=21150605&features=30&guid=1e60fd31-e84f-488e-8cdd-62e68389af90&comment=21150605&p=1&s=173.236.25.26:13208,96.127.159.146:13208,209.236.74.175:49721

IDS alerts using the Emerging Threats Pro Ruleset (ET INFO disabled) on Suricata 2.0.8

2015-06-13 03:49:04 UTC - 192.168.15.10:1046 -> 67.212.169.38:80 - ET CURRENT EVENTS Cushion Redirection
2015-06-13 03:49:07 UTC - 192.168.15.10:1046 -> 67.212.169.38:80 - ET CURRENT EVENTS Possible ASPROX Download URI Struct June 19 2014
2015-06-13 03:49:07 UTC - 192.168.15.10:1054 -> 67.212.169.38:80 - ET CURRENT EVENTS Possible Nuclear EK Landing URI Struct T1
2015-06-13 03:49:08 UTC - 67.212.169.38:80 -> 192.168.15.10:1054 - ETPRO CURRENT EVENTS Nuclear EK Landing April 30 2015 M4
2015-06-13 03:49:08 UTC - 67.212.169.38:80 -> 192.168.15.10:1054 - ETPRO CURRENT EVENTS Nuclear EK Landing April 30 2015 M3
2015-06-13 03:49:08 UTC - 192.168.15.10:1054 -> 67.212.169.38:80 - ET CURRENT EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015
2015-06-13 03:49:08 UTC - 192.168.15.10:1054 -> 67.212.169.38:80 - ET POLICY Outdated Windows Flash Version IE
2015-06-13 03:49:08 UTC - 67.212.169.38:80 -> 192.168.15.10:1054 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-06-13 03:49:12 UTC - 67.212.169.38:80 -> 192.168.15.10:1054 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-06-13 03:49:12 UTC - 67.212.169.38:80 -> 192.168.15.10:1054 - ET CURRENT EVENTS DRIVEBY Nuclear EK SWF M2
2015-06-13 03:49:12 UTC - 67.212.169.38:80 -> 192.168.15.10:1054 - ET CURRENT EVENTS DRIVEBY Nuclear EK Payload
2015-06-13 03:49:33 UTC - 192.168.15.10:1059 -> 184.154.97.114:49891 - ET TROJAN Win32/Glupteba CnC Checkin
2015-06-13 03:50:26 UTC - 192.168.15.10:1066 -> 173.236.25.26:13208 - ET TROJAN Win32/Glupteba CnC Checkin

Preliminary Malware Analysis

Nuclear EK Flash Exploit

Nuclear EK Malware Payload - Glupteba

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates