Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Friday, May 22nd 2015 http://isc.sans.edu/podcastdetail.html?id=4495

Exploit kits delivering Necurs

Published: 2015-05-21
Last Updated: 2015-05-22 01:54:26 UTC
by Brad Duncan (Version: 1)
7 comment(s)

Introduction

In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering malware identified as Necurs.  It certainly isn't the only payload sent from Nuclear and other EKs, but I hadn't really looked into EK traffic sending Necurs lately.

Documented as early as 2012, Necurs is a type of malware that opens a back door on the infected computer [1].  It may also disable antivirus products as well as download additional malware [1][2].

I saw Necurs as a malware payload from Nuclear and Angler EKs last week [3][4].  In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page).

We ran across Nuclear EK delivering Necurs again on 2015-05-20.  In this example, the gate was on 91.121.63.249.

I can't share info on the compromised website that kicked off this infection chain; however, we can look at the rest of the traffic.

Infection traffic details

Associated domains:

  • 91.121.63.249 port 80 - try.jleveux.com - Redirect (gate) to exploit kit
  • 162.247.13.233 port 80 - os.jackmap.com -  Nuclear EK
  • 188.165.138.220 port 80 - 188.165.138.220 - Post-infection HTTP traffic caused by Necurs
  • various IP addresses on various ports - Other post-infection traffic (see below)


Shown above: Emerging Threats-based Snort events on the infection traffic using Security Onion

Redirect (gate) leading to the EK:

  • 2015-05-20 17:03:32 UTC - try.jleveux.com - GET /js/view.js

Nuclear EK:

  • 2015-05-20 17:03:32 UTC - os.jackmap.com - GET /CQEWFR9SHVgRTQkCAlwPAhNNAlgP.html
  • 2015-05-20 17:03:33 UTC - os.jackmap.com - GET /BE8SHwtVFUEeUh9SHVgRTQkCAlwPAhNNAlgPH1VVTwZaVE1VVhlTW1EfUANRUVJXUANTUB8FDQY
  • 2015-05-20 17:03:34 UTC - os.jackmap.com - GET /B14OBh8LV0MUH1IfUEsNEE0JAFQJDgITT1QNDh9VVxlTW1RNVwBMUltRHQZWUFFSVQZWUlAfVEsxIBARBkc
  • 2015-05-20 17:03:36 UTC - os.jackmap.com - GET /B14OBh8LV0MUH1IfHVgRTQkCAlwPAhNNAlgPH1VVTwZaVE1VVhlTW1EfUANRUVJXUANTUB9WHXIAJyE5MHM

HTTP POST requests from the infected host:

  • 2015-05-20 17:03:52 UTC - 188.165.138.220 - POST /forum/db.php
  • 2015-05-20 17:03:53 UTC - 188.165.138.220 - POST /forum/db.php
  • 2015-05-20 17:03:53 UTC - 188.165.138.220 - POST /forum/db.php
  • 2015-05-20 17:04:46 UTC - 188.165.138.220 - POST /forum/db.php

DGA-style DNS requests from the infected host:

  • 2015-05-20 17:03:37 UTC - DNS query for: tihvekkgxvjjstk.com - server response: No such name
  • 2015-05-20 17:03:37 UTC - DNS query for: aywqalevruhie.com - server response: No such name
  • 2015-05-20 17:03:37 UTC - DNS query for: jdwkjeyumdxbc.com - server response: No such name
  • 2015-05-20 17:03:37 UTC - DNS query for: nsktpgiexicpnt.com - server response: No such name
  • 2015-05-20 17:03:38 UTC - DNS query for: npkxghmoru.biz - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: llncjudabb.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: veqtdpofgjwe.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: acsgneqxcsoyvmc.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: lbvruinysrbpyjr.com - server response: No such name
  • 2015-05-20 17:04:37 UTC - DNS query for: npkxghmoru.biz - server response: No such name

UDP packets sent from the infected host:

  • 2015-05-20 17:03:42 UTC - 192.168.122.202 port 18672 - 95.87.49.120 port 13099
  • 2015-05-20 17:03:47 UTC - 192.168.122.202 port 18672 - 87.69.21.149 port 17931 (return traffic noted)
  • 2015-05-20 17:03:52 UTC - 192.168.122.202 port 18672 - 85.86.36.76 port 9535
  • 2015-05-20 17:04:23 UTC - 192.168.122.202 port 18672 - 123.193.182.220 port 11772
  • 2015-05-20 17:04:33 UTC - 192.168.122.202 port 18672 - 82.210.187.14 port 7309
  • 2015-05-20 17:04:38 UTC - 192.168.122.202 port 18672 - 158.109.235.80 port 8202
  • 2015-05-20 17:04:43 UTC - 192.168.122.202 port 18672 - 93.123.40.76 port 26871
  • 2015-05-20 17:05:48 UTC - 192.168.122.202 port 18672 - 46.35.207.228 port 5844
  • 2015-05-20 17:09:48 UTC - 192.168.122.202 port 18672 - 128.131.102.41 port 15037
  • 2015-05-20 17:10:48 UTC - 192.168.122.202 port 18672 - 79.116.151.17 port 10223
  • 2015-05-20 17:11:48 UTC - 192.168.122.202 port 18672 - 109.245.156.224 port 17975
  • 2015-05-20 17:12:48 UTC - 192.168.122.202 port 18672 - 186.22.5.205 port 28181
  • 2015-05-20 17:13:48 UTC - 192.168.122.202 port 18672 - 197.129.0.92 port 19877
  • 2015-05-20 17:15:48 UTC - 192.168.122.202 port 18672 - 150.217.108.178 port 31812
  • 2015-05-20 17:17:48 UTC - 192.168.122.202 port 18672 - 109.54.13.232 port 5483
  • 2015-05-20 17:19:48 UTC - 192.168.122.202 port 18672 - 2.193.233.219 port 13321

TCP SYN packets sent by the infected host, with no response from the server:

  • 2015-05-20 17:04:28 UTC - 192.168.122.202 port 49158 - 141.20.242.66 port 12592
  • 2015-05-20 17:06:48 UTC - 192.168.122.202 port 49161 - 199.241.229.89 port 16140
  • 2015-05-20 17:08:48 UTC - 192.168.122.202 port 49162 - 190.219.222.57 port 12381
  • 2015-05-20 17:14:48 UTC - 192.168.122.202 port 49163 - 49.205.160.135 port 23582
  • 2015-05-20 17:16:48 UTC - 192.168.122.202 port 49164 - 79.2.157.254 port 8189
  • 2015-05-20 17:18:48 UTC - 192.168.122.202 port 49165 - 77.81.9.120 port 18949

Images from the traffic


Shown above: Link to the gate found in page from the compromised website


Shown above: The gate redirecting traffic to the Nuclear exploit kit landing page


Shown above: Nuclear exploit kit landing page


Shown above: Nuclear exploit kit sends a Flash exploit


Shown above: Nuclear exploit kit sends the malware payload


Shown above: HTTP traffic caused by the malware

Preliminary malware analysis

Malware payload delivered by the Nuclear exploit kit (Necurs)

Additional malware found on the infected host (Necurs-related):

Some of the registry keys for persistence:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C4E6D8D66AF44D3\000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\c4e6d8d66af44d3
  • NOTE:  The same keys were also found in ControlSet001 and ControlSet002

Final words

A pcap of the infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.symantec.com/security_response/writeup.jsp?docid=2012-121212-2802-99
[2] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Necurs
[3] http://malware-traffic-analysis.net/2015/05/14/index3.html
[4] http://malware-traffic-analysis.net/2015/05/15/index.html

 

Keywords:
7 comment(s)
ISC StormCast for Thursday, May 21st 2015 http://isc.sans.edu/podcastdetail.html?id=4493

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
1 day ago by Brad Duncan (10 comments)

Upatre/Dyre malspam - Subject: eFax message from "unknown"
2 days ago by Brad Duncan (5 comments)

IoT roundup: Apple Watch Patches, Router Vulnerabilities
2 days ago by Dr. J. (0 comments)

False Positive? settings-win.data.microsoft.com resolving to Microsoft Blackhole IP
2 days ago by Dr. J. (3 comments)

Address spoofing vulnerability in Safari Web Browser
3 days ago by Manuel Humberto Santander Pelaacuteez (3 comments)

VENOM - Does it live up to the hype?
6 days ago by Rick (4 comments)

Another Maldoc? I'm Afraid So...
6 days ago by DidierStevens (3 comments)

View All Diaries →

Latest Discussions

Detecting the New Dridex Malware
created 2 hours ago by Mostropi (0 replies)

Deleted Post [Duplicate]
created 2 hours ago by Mostropi (0 replies)

What is the current Vulnerability targeted by Magnitude Exploit?
created 1 day ago by Mostropi (2 replies)

DShield-Top100 sources list vs the ASCII version
created 1 day ago by JamesW (1 reply)

Dshield shows "Rejected: Not an input block line"
created 6 days ago by Telserv (1 reply)

View All Forums →

Latest News

View All News →