The actor using gates registered through BizCN (always with privacy protection) continues using the Nuclear exploit kit (EK) to deliver malware.
My previous diary on this actor documented the actor's switch from Fiesta EK to Nuclear EK in early July 2015 . Since then, the BizCN gate actor briefly switched to Neutrino EK in September 2015 [2, 3]; however, it appears to be using Nuclear EK again.
Our thanks to Paul, who submitted a pcap of traffic by the BizCN gate actor to the ISC.
Paul's pcap showed us a Google search leading to the compromised website. In the image below, you can also see Nuclear EK from zezetap.xyz.
No payload was found in this EK traffic, so the Windows host viewing the compromised website didn't get infected. The Windows host from this pcap was running IE 11, and URLs for the EK traffic stop after the last two HTTP POST requests. These URL patterns are what I've seen every time IE 11 crashes after getting hit with Nuclear EK.
A key thing to remember with the BizCN gate actor is the referer line from the landing page. This will always show the compromised website, and it won't indicate the BizCN-registered gate that gets you there. Paul's pcap didn't include traffic to the BizCN-registered gate, but I found a reference to it in the traffic. Remember, traffic from this actor always has a BizCN-registered gate.
How did I find the gate in this example? First, I checked the referer on the HTTP GET request to the EK's landing page.
That referer should have injected script pointing to the BizCN gate URL, so I exported that referer page from the pcap and save it as a text file.
I searched the HTML text from the compromised website and found the BizCN gate URL as shown below.
The BizCN-registered domain was perolissan.com, and pinging to it showed 126.96.36.199 as the IP address. As usual, domains registered by this actor are privacy-protected.
This completes my flow chart for the BizCN gate actor. The domains associated from Paul's pcap were:
Recently, I've had hard time getting a full chain of infection traffic from the BizCN gate actor. Paul's pcap also had this issue, because there was no payload. However the BizCN gate actor is still active, and many of the compromised websites I've noted in previous diaries [1, 4] are still compromised.
We continue to track the BizCN gate actor, and we'll let you know if we discover any significant changes.
Oct 2nd 2015
3 years ago
Brad - These are a great series of articles your are sharing :)
Very well written and informative material.
They are very timely and relevant to what we are fighting on a daily basis.
Please keep them coming - good stuff!
Oct 3rd 2015
3 years ago