An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15.
I started writing about this actor in 2014 [1, 2] and recently posted an ISC diary about it on 2015-04-28 . I've been calling this group the "BizCN gate actor" because domains used for the gate have all been registered through the Chinese registrar BizCN.
We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:
NOTE: For now, Kovter is relatively easy to spot, since it's the only malware I've noticed that updates the infected host's Flash player .
Chain of events
Let's take a closer look at how this happens.
BizCN-registered gate domain
We've found at least four IP addresses hosting the BizCN-registered gate domain. They are:
If you have proxy logs or other records of your HTTP traffic, search for these IP addresses. If you find the referrers, you might discover other websites compromised by this actor.
Examples of infection traffic generated from 2015-07-03 through 2015-07-05 all show 184.108.40.206 as the IP address hosting Nuclear EK. This IP address is registered to Vultr, a hosting provider specializing in SSD cloud servers .
The image below shows one of the landing pages sent by Nuclear EK on 2015-07-05.
Next, Nuclear EK sends a flash exploit as shown below.
Finally, Nuclear EK sends the malware payload. It's obfuscated, and we have the decoded version available in a zip archive (see a link for it near the end of this diary).
Malware sent by this actor
During the three-day period, we infected ten hosts, saw two different Flash exploits, and retrieved five different malware payloads. Most of these payloads were Kovter (ad fraud malware). We also found two other types of malware sent by the BizCN gate actor.
Below are links to reports from hybrid-analysis.com for the individual pieces of malware:
It's usually difficult to generate a full chain of infection traffic from compromised websites associated with this BizCN gate actor. We often see HTTP GET requests to the gate domain return a 404 Not Found. In some cases, the gate domain might not appear in traffic at all.
We believe the BizCN gate actor will continue to make changes as a way to evade detection. Fortunately, the ISC and other organizations try our best to track these actors, and we'll let you know if we discover any significant changes.
Examples of the traffic and malware can be found at:
As always, the zip file is password-protected with the standard password. If you don't know it, email firstname.lastname@example.org and ask.
Jul 6th 2015
3 years ago
To: Brad Duncan,
Two additional websites have been registered by BizCN.com / Richard Donald:
www.shipuusa.com and logisticsiforwarding.com
Do you know anything about these websites as they relate to ShipU Enterprises LLC, 7501 Mariner Blvd, Spring Hill, Florida, USA
Sep 3rd 2015
3 years ago
Thanks for the info. However, just because someone used BizCN to register a website doesn't mean it's associated with this particular actor. I'm calling it the "BizCN gate actor" because these domains have specific IP addresses for gate-style traffic. Those domains you listed lead to actual websites (the BizCN gate actor I'm talking about doesn't).
At this point, I couldn't tell you if those domains are malicious or not. I just know they're not tied to this particular actor.
Sep 4th 2015
3 years ago