Introduction Earlier this month, the BizCN gate actor switched IP addresses for its gate domains to 46.172.83.0/24. Also, as early as Friday 2015-11-20, this actor started sending CryptoWall 4.0 as one of its malware payloads from the Nuclear exploit kit (EK). Until now, I've only associated CryptoWall 4.0 with malicious spam (malspam). This is the first time I've noticed CryptoWall 4.0 sent by an EK. This diary discusses the recent change in BizCN-registered gates, and we'll look at some examples of CryptoWall 4.0 sent by this actor. The gates Like some other groups, the BizCN gate actor uses another server to act as a "gate" between the compromised website and its EK server (I explained gate traffic in my previous diary here). I've been calling this criminal group the "BizCN gate actor" because domains it uses for the gate have all been registered through the Chinese registrar BizCN, always with privacy protection [1, 2]. Since July 2015, the BizCN gate actor has most often used Nuclear EK to deliver its malware payloads [2].
This actor uses dedicated servers for its gate domains. These gate domains tend to stick with one particular hosting provider. At times, the BizCN gate actor will switch hosting providers for its gates, and the IP address block for these gates will change. Since February 2015, the BizCN gate actor has used a handful of IP addresses in the 136.243.0.0/16 block (Germany - TK Rustelekom LLC) for its gate domains. Earlier this month, the gates moved to 46.172.83.0/24 (Ukraine - PE Fesenko Igor Mikolayovich). URL patterns for BizCN-registered gate traffic are fairly distinctive, and I was able to find several examples as early as 2015-11-19.
A successful infection chain Let's look at some infection traffic from Saturday 2015-11-21 [3]. The first step in this infection chain? You'll find injected script that points to the BizCN-registered gate in a web page from the compromised website.
URL patterns in HTTP GET requests to these gate domains are fairly distinctive. What's the second step for this successful infection chain? An HTTP GET request to the gate domain returned some javascript.
The javascript was sent gzip-compressed, so you won't be able to read it in a pcap by following the TCP stream in Wireshark. I normally get a decompressed copy from the pcap by exporting HTTP objects in Wireshark.
In the above image, I've highlighted the unicode that represents a Nuclear EK landing page URL. See the image below to see how I translated it.
The final step of this infection chain? Nuclear EK infects a vulnerable Windows host.
CryptoWall 4.0 sent by the BizCN gate actor CryptoWall is not the only payload sent by the BizCN gate actor, but it's the most common. On Thursday 2015-11-19 when the BizCN gate actor sent CryptoWall, it was version 3 [4].
Less than 24 hours later on Friday 2015-11-20, there was a change in CryptoWall sent by this actor [5]. I didn't realize it until another infection the next day [3]. Malware characteristics fit what others have posted about CryptoWall 4.0 [6, 7, 8].
Whether it's version 3.0 or 4.0, CryptoWall sent by the BizCN gate actor is different than CryptoWall sent by other actors. This malware looks like an NSIS installer [9], and it leaves behind artifacts in the infected user's AppData\Local\Temp directory that I don't see from other samples of CryptoWall.
Final words Although examples of CryptoWall 4.0 have been found since 2015-11-02 [10], these samples were associated with malicious spam. Until now, I haven't noticed CryptoWall 4.0 from any EKs. And now I've only seen it from the BizCN gate actor. As recently as Monday 2015-11-23, I saw CryptoWall sent by Angler EK, but it was still at version 3 [9]. Except for Nuclear EK from the BizCN gate actor, none of the other EKs appear to be sending version 4. At least, that's what I've found so far. I fully expect to see CryptoWall 4.0 from other EKs sometime soon. Below is a list of traffic seen from the BizCN gate actor since Thursday 2015-11-19. It includes links for traffic and malware samples. (Read: Date/time - Nuclear EK IP address - Nuclear EK domain name - Link)
Since this information is now public, the BizCN gate actor may change tactics. However, unless this actor initiates a drastic change, it can always be found again. I (and other security professionals) will continue to track the BizCN gate actor. Expect another diary on this subject if any significant changes occur. --- References: [1] https://isc.sans.edu/forums/diary/BizCN+gate+actor+changes+from+Fiesta+to+Nuclear+exploit+kit/19875/ |
Brad 435 Posts ISC Handler Nov 24th 2015 |
Thread locked Subscribe |
Nov 24th 2015 6 years ago |
How did you know which section of unicode to decrypt?
|
Anonymous |
Quote |
Nov 24th 2015 6 years ago |
Process of elimination. When I first ran across this, I decoded it all and found it easily enough. Hexadecimal for http is: 68 74 74 70. The unicode would be \u0068\u0074\u0074\u0070. If you run across this stuff often enough, you start to get a feel for it.
|
Brad 435 Posts ISC Handler |
Quote |
Nov 24th 2015 6 years ago |
The netblock 136.243.0.0/16 is assigned to Hetzner AG, not RUS(sian) Telekom.
Regarding NSIS: its author should use his copyright to sue the actors. Even chinese authorities may act then. |
Anonymous |
Quote |
Nov 24th 2015 6 years ago |
Thanks for the feedback!
Although the ASN for the entire block shows Hetzner AG, the IP addresses I've found for the BizCN gate actor are part of sub-blocks all assigned to Rustelekom LLC. From whois.domaintools.com: inetnum: 136.243.25.240 - 136.243.25.247 netname: TK-RUSTELEKOM-LLC descr: TK Rustelekom LLC country: DE inetnum: 136.243.224.8 - 136.243.224.15 netname: TK-RUSTELEKOM-LLC descr: TK Rustelekom LLC country: DE Here are links to whois info on some of the BizCN gate IP addresses I'd seen lately before the change. whois.domaintools.com/… whois.domaintools.com/… whois.domaintools.com/… whois.domaintools.com/… whois.domaintools.com/… whois.domaintools.com/… As for attribution, the BizCN gate actor is likely Chinese, but that alone isn't enough for 100% attribution to a Chinese group. Granted, the registration site bizcn.com is a Chinese language site, and I think it's likely the actors behind this are Chinese. However, there might be ways non-Chinese-language speakers might be able to register, so we cannot rule that out. Interesting idea about the Chinese authorities. If this threat actor is Chinese (which I agree seems likely), I wonder how quickly Chinese authorities would act on the copyright issue, should the folks behind NSIS pursue the matter. Thanks again, - Brad |
Brad 435 Posts ISC Handler |
Quote |
Nov 24th 2015 6 years ago |
Quoting Brad:As for attribution, the BizCN gate actor is likely Chinese, but that alone isn't enough for 100% attribution to a Chinese group. Granted, the registration site www.bizcn.com is a Chinese language site, and I think it's likely the actors behind this are Chinese. However, there might be ways non-Chinese-language speakers might be able to register, so we cannot rule that out. Correct. The idea is but to let the resp. authorities take steps against these criminals. Step 1: let the registrar reveal the identity of the domain owner(s). Quoting Brad:Interesting idea about the Chinese authorities. If this threat actor is Chinese (which I agree seems likely), I wonder how quickly Chinese authorities would act on the copyright issue, should the folks behind NSIS pursue the matter. They did that for another instance of abuse, with the help of the Software Freedom Law Foundation, albeit without success: http://kichik.com/2008/02/08/mediacentric/ |
Anonymous |
Quote |
Nov 24th 2015 6 years ago |
As usual: MOSTLY HARMLESS!
http://home.arcor.de/skanthak/SAFER.html and http://mechbgon.com/srp tell how to protect yourself against (not just) this threat. |
Anonymous |
Quote |
Nov 24th 2015 6 years ago |
Thanks for the additional info.
It looks like the BizCN registrar has been taking care of some issues, at least with fake pharmacy sites. blog.legitscript.com/2015/09/chinese-registrar-bizcn-taking-stand-against-dangerous-fake-drug-sites/ |
Brad 435 Posts ISC Handler |
Quote |
Nov 24th 2015 6 years ago |
Quoting Brad:It looks like the BizCN registrar has been taking care of some issues, at least with fake pharmacy sites. Good. Now if someone could take care of 220.164.140.186: almost all spam not bounced by my providers refers to *.ru domains resolving to 220.164.140.186. |
Anonymous |
Quote |
Nov 24th 2015 6 years ago |
I'm curious if you you blocked any of the requests from going out? What I see is that although it uses the 46.x.x.x IP exactly twice as much as the others, I have 9 other Euro IP addresses that it's trying to reach out on. But I was blocking the outgoing POST.
|
Anonymous |
Quote |
Dec 2nd 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!