Last Updated: 2015-11-24 00:00:15 UTC
by Brad Duncan (Version: 1)
Earlier this month, the BizCN gate actor switched IP addresses for its gate domains to 126.96.36.199/24. Also, as early as Friday 2015-11-20, this actor started sending CryptoWall 4.0 as one of its malware payloads from the Nuclear exploit kit (EK). Until now, I've only associated CryptoWall 4.0 with malicious spam (malspam). This is the first time I've noticed CryptoWall 4.0 sent by an EK.
This diary discusses the recent change in BizCN-registered gates, and we'll look at some examples of CryptoWall 4.0 sent by this actor.
Like some other groups, the BizCN gate actor uses another server to act as a "gate" between the compromised website and its EK server (I explained gate traffic in my previous diary here). I've been calling this criminal group the "BizCN gate actor" because domains it uses for the gate have all been registered through the Chinese registrar BizCN, always with privacy protection [1, 2]. Since July 2015, the BizCN gate actor has most often used Nuclear EK to deliver its malware payloads .
This actor uses dedicated servers for its gate domains. These gate domains tend to stick with one particular hosting provider. At times, the BizCN gate actor will switch hosting providers for its gates, and the IP address block for these gates will change.
Since February 2015, the BizCN gate actor has used a handful of IP addresses in the 188.8.131.52/16 block (Germany - TK Rustelekom LLC) for its gate domains. Earlier this month, the gates moved to 184.108.40.206/24 (Ukraine - PE Fesenko Igor Mikolayovich).
URL patterns for BizCN-registered gate traffic are fairly distinctive, and I was able to find several examples as early as 2015-11-19.
Shown above: Examples of BizCN-registered gate traffic from this actor. Click here for a pcap of the traffic.
A successful infection chain
Let's look at some infection traffic from Saturday 2015-11-21 . The first step in this infection chain? You'll find injected script that points to the BizCN-registered gate in a web page from the compromised website.
In the above image, I've highlighted the unicode that represents a Nuclear EK landing page URL. See the image below to see how I translated it.
The final step of this infection chain? Nuclear EK infects a vulnerable Windows host.
CryptoWall 4.0 sent by the BizCN gate actor
CryptoWall is not the only payload sent by the BizCN gate actor, but it's the most common. On Thursday 2015-11-19 when the BizCN gate actor sent CryptoWall, it was version 3 .
Less than 24 hours later on Friday 2015-11-20, there was a change in CryptoWall sent by this actor . I didn't realize it until another infection the next day . Malware characteristics fit what others have posted about CryptoWall 4.0 [6, 7, 8].
Whether it's version 3.0 or 4.0, CryptoWall sent by the BizCN gate actor is different than CryptoWall sent by other actors. This malware looks like an NSIS installer , and it leaves behind artifacts in the infected user's AppData\Local\Temp directory that I don't see from other samples of CryptoWall.
Although examples of CryptoWall 4.0 have been found since 2015-11-02 , these samples were associated with malicious spam. Until now, I haven't noticed CryptoWall 4.0 from any EKs. And now I've only seen it from the BizCN gate actor.
As recently as Monday 2015-11-23, I saw CryptoWall sent by Angler EK, but it was still at version 3 . Except for Nuclear EK from the BizCN gate actor, none of the other EKs appear to be sending version 4. At least, that's what I've found so far. I fully expect to see CryptoWall 4.0 from other EKs sometime soon.
Below is a list of traffic seen from the BizCN gate actor since Thursday 2015-11-19. It includes links for traffic and malware samples.
(Read: Date/time - Nuclear EK IP address - Nuclear EK domain name - Link)
- 2015-11-19 03:10 UTC - 220.127.116.11 - 16953.falmuemb.xyz (CryptoWall 3.0) - Link
- 2015-11-20 02:50 UTC - 18.104.22.168 - 51649.edindagodl.xyz (CryptoWall 4.0) - Link
- 2015-11-21 02:26 UTC - 22.214.171.124 - 48637930475.kuputster.xyz (CryptoWall 4.0) - Link
- 2015-11-22 18:17 UTC - 126.96.36.199 - 439520.13406.duco-or.xyz (not CryptoWall) - Link
- 2015-11-23 00:40 UTC - 188.8.131.52 - 369504.6210.yani-et.xyz (CryptoWall 4.0) - Link
Since this information is now public, the BizCN gate actor may change tactics. However, unless this actor initiates a drastic change, it can always be found again. I (and other security professionals) will continue to track the BizCN gate actor. Expect another diary on this subject if any significant changes occur.