Last Updated: 2015-08-21 13:15:47 UTC
by Brad Duncan (Version: 1)
According to a 2014 report by ESET, Windigo is the code name for an ongoing operation that started as early as 2011 . As noted in the report, legitimate traffic to servers compromised by the Windigo group redirect visitors to an exploit kit (EK). If the Windows client is vulnerable, it would be infected by the EK.
In December 2014, the Windigo group started using Nuclear EK to deliver its payload. Kafeine first tweeted about this in December , and I posted a few blog entries covering Operation Windigo in the following months [3, 4, 5, 6, 7].
As summer draws to a close, I've seen less traffic from the Windigo group. It's still active, but I haven't found it at all in recent weeks. Fortunately, today (Friday, 2015-08-21) I was lucky enough to encounter a website compromised by the Windigo group. It kicked off a chain of events leading to Nuclear EK.
This diary examines the infection traffic.
Last month, a reader informed me that forum.tramedibeautiful.com may be compromised. When I first checked, the website redirected to myfilestore.com, and I didn't see any EK traffic.
Today I tried forum.tramedibeautiful.com and saw the same redirect, but this time myfilestore.com led to Nuclear EK. Based on the traffic, you'll find myfilestore.com was compromised by the Windigo group and is redirecting to Nuclear EK.
See the image below for the HTTP traffic generated by this infection chain of events. Traffic to 220.127.116.11 is a Cushion-style redirect and Nuclear EK used by the Windigo group. Post-infection traffic to 18.104.22.168 over TCP port 17326 and 22.214.171.124 over TCP port 49053 was caused by Glupteba malware sent from the EK.
A key indicator for Operation Windigo is the EmergingThreats (ET) alert ET CURRENT_EVENTS Cushion Redirection (sid:2017552) . I replayed a pcap of the infection traffic in Security Onion using Suricata with the ET open rule set. In the image below, we find alerts associated with Nuclear EK traffic caused by the Windigo group.
I also used the latest version of Snort (126.96.36.199) with the snort registered rule set to read the pcap. The results show several alerts for post-infection traffic we typically see with malware used by the Windigo group.
Don't know why I haven't been seeing as much Windigo group Nuclear EK lately. Maybe this actor is on the decline. Others may have more visibilty on this.
Traffic and malware from the analysis are listed below:
- A pcap of the Friday 2015-08-20 Windigo group Nuclear EK traffic is here.
- A zip archive containing associated malware and artifacts is available here.
The zip archive is password-protected with the standard password. If you don't know it, email firstname.lastname@example.org and ask.