|
Introduction In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering malware identified as Necurs. It certainly isn't the only payload sent from Nuclear and other EKs, but I hadn't really looked into EK traffic sending Necurs lately. Documented as early as 2012, Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2]. I saw Necurs as a malware payload from Nuclear and Angler EKs last week [3][4]. In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page). We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249. I can't share info on the compromised website that kicked off this infection chain; however, we can look at the rest of the traffic. Infection traffic details Associated domains:
Redirect (gate) leading to the EK:
Nuclear EK:
HTTP POST requests from the infected host:
DGA-style DNS requests from the infected host:
UDP packets sent from the infected host:
TCP SYN packets sent by the infected host, with no response from the server:
Images from the traffic
Preliminary malware analysis Malware payload delivered by the Nuclear exploit kit (Necurs)
Additional malware found on the infected host (Necurs-related):
Some of the registry keys for persistence:
Final words A pcap of the infection traffic is available at: A zip file of the associated malware is available at: The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. --- References: [1] http://www.symantec.com/security_response/writeup.jsp?docid=2012-121212-2802-99
|
Brad 435 Posts ISC Handler May 22nd 2015 |
| Thread locked Subscribe |
May 22nd 2015 7 years ago |
|
Excellent analysis. Thank you.
|
MD 11 Posts |
| Quote |
May 21st 2015 7 years ago |
|
Brad,
I am starting to teach myself how to analyze traffic like you have shown here. Would it be possible for you to document how you go about finding these items inside the pcap? This would be a great help to those of us just starting out. Thank you. |
Tri0x 17 Posts |
| Quote |
May 21st 2015 7 years ago |
|
Do you know the reason for the failed DNS requests?
Is it possible that the malware first tries to connect to some kind of C&C server via these domains and then, after the request fail, falls back to hardcoded IP addresses? |
moritz 2 Posts |
| Quote |
May 21st 2015 7 years ago |
|
Tri0x,
I've got a few traffic analysis exercises on my blog site, and in some of those, I document how to get at some of the answers. Hopefully that should help. |
Brad 435 Posts ISC Handler |
| Quote |
May 21st 2015 7 years ago |
|
mortiz,
Those failed DNS requests are common for Domain Generation Algorithm (DGA) style requests for C2 nodes used by the criminals. You'll often see those failed DNS requests, as an infected host runs through a bunch of those until it connects with a server using one of those DGA domains that's up and running. In this case, none of the domains worked. I've seen traffic to hardcoded IP addresses even after the infected host successfully connects to a DGA-based domain. |
Brad 435 Posts ISC Handler |
| Quote |
May 21st 2015 7 years ago |
|
I concur.. great learning tool without opacity. Thank you Brad! I will be using this in my security meeting tomorrow.
Regards. |
ICI2I 63 Posts |
| Quote |
May 21st 2015 7 years ago |
|
Brad,
Thanks for the insight! |
moritz 2 Posts |
| Quote |
May 21st 2015 7 years ago |
|
As usual: MOSTLY HARMLESS!
On properly configured systems -- where users are (unprivileged) users, not (even "protected") administrators -- execution of the malware payload is inhibited with AppLocker or software restriction policies. Only fools who still run as administrators will have their systems infected. |
Anonymous |
| Quote |
May 24th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
