2017-03-02 - Landscape

Bye Empire, Hello Nebula Exploit Kit.

Nebula Logo




While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - [email protected]


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.







Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 
This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc... Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.

Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France - 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.


At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).

So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.

The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP - 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload

Today URI pattern changed from this morning :

/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S--Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN

(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let's wait and see. The only difference with Sundown till today was its internal TDS.

Exploits:
CVE-2014-6332 + CVE-2015-0016
CVE-2013-2551
CVE-2016-0189 godmode
CVE-2015-8651
CVE-2015-7645
CVE-2016-4117

Files:  Nebula_2017-03-02 (2 fiddler - password is malware)

Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.

Edit:
2017-03-03 Corrected some CVE id + not all payload are in clear
---
Some IOCs

DateSha256Comment
2017/02/17f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5Flash Exploit (CVE-2016-4117)
2017/02/27be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2eccFlash Exploit (CVE-2016-4117)
2017/02/1767d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown)
2017/02/1704fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41cFlash Exploit (CVE-2015-8651 Sample seen previously in Sundown)
2017/02/17b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315cPitou
2017/02/176fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8Gootkit
2017/02/221a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64bRamnit
2017/03/026764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4aDiamondFox


DateDomainIPComment
2017/02/17tci.nhnph.com188.209.49.135Nebula Payload Domain
2017/02/22gnd.lplwp.com188.209.49.135Nebula Payload Domain
2017/02/24qcl.ylk8.xyz188.209.49.23Nebula Payload Domain
2017/02/28hmn.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/03/02qgg.losssubwayquilt.pw93.190.141.166Nebula Payload Domain
2017/02/17agendawedge.shoemakerzippersuccess.stream188.209.49.135Nebula
2017/02/17clausmessage.nationweekretailer.club217.23.7.15Nebula
2017/02/17equipmentparticle.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/17salaryfang.shockadvantagewilderness.club217.23.7.15Nebula
2017/02/22deficitshoulder.lossicedeficit.pw188.209.49.135Nebula
2017/02/22distributionjaw.hockeyopiniondust.club188.209.49.135Nebula
2017/02/22explanationlier.asiadeliveryarmenian.pro188.209.49.135Nebula
2017/02/23cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/23instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/23soldierprice.distributionstatementdiploma.site188.209.49.135Nebula
2017/02/23swissfacilities.gumimprovementitalian.stream188.209.49.135Nebula
2017/02/23transportdrill.facilitiesturkishdipstick.info188.209.49.135Nebula
2017/02/24authorisationmessage.casdfble.stream188.209.49.151Nebula
2017/02/24cowchange.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24departmentant.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24disadvantageproduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24disadvantageproduction.casdfble.stream188.209.49.151Nebula
2017/02/24europin.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24hygienicreduction.brassreductionquill.site188.209.49.151Nebula
2017/02/24hygienicreduction.casdfble.stream188.209.49.151Nebula
2017/02/24instructionscomposition.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24jobhate.pedestrianpathexplanation.info188.209.49.151Nebula
2017/02/24limitsphere.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24paymentceramic.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/24printeroutput.pheasantmillisecondenvironment.stream188.209.49.151Nebula
2017/02/24redrepairs.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24soldierprice.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/24suggestionburn.distributionstatementdiploma.site188.209.49.151Nebula
2017/02/25advertiselaura.bubblecomparisonwar.top188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25apologycattle.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25apologycold.shearssuccessberry.club188.209.49.151Nebula
2017/02/25authorizationmale.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25birthdayexperience.foundationspadeinventory.club188.209.49.151Nebula
2017/02/25confirmationaustralian.retaileraugustplier.club188.209.49.151Nebula
2017/02/25dancerretailer.shearssuccessberry.club188.209.49.151Nebula
2017/02/25employergoods.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25fallhippopotamus.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25goallicense.shearssuccessberry.club188.209.49.151Nebula
2017/02/25goalpanda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25holidayagenda.retaileraugustplier.club188.209.49.151Nebula
2017/02/25marketsunday.deliverycutadvantage.info188.209.49.151Nebula
2017/02/25penaltyinternet.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25phonefall.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25purposeguarantee.shearssuccessberry.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club188.209.49.49Nebula
2017/02/25rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/25rollinterest.asiadeliveryarmenian.pro188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.151Nebula
2017/02/25startguarantee.gramsunshinesupply.club188.209.49.49Nebula
2017/02/26advantagelamp.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26apologycattle.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26budgetdegree.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26competitionseason.numberdeficitc-clamp.site93.190.141.39Nebula
2017/02/26customergazelle.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26decembercommission.divingfuelsalary.trade93.190.141.200Nebula
2017/02/26distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/26equipmentwitness.maskobjectivebiplane.trade93.190.141.200Nebula
2017/02/26invoiceburst.cyclonesoybeanpossibility.bid93.190.141.39Nebula
2017/02/26invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/26jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/26rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/26startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/27approveriver.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/27distributionfile.edgetaxprice.site93.190.141.45Nebula
2017/02/27invoicegosling.edgetaxprice.site93.190.141.45Nebula
2017/02/27jailreduction.edgetaxprice.site93.190.141.45Nebula
2017/02/27lipprice.edgetaxprice.site93.190.141.45Nebula
2017/02/27marginswiss.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27outputfruit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27rainstormpromotion.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27reindeerprofit.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27reminderdonna.divingfuelsalary.trade93.190.141.200Nebula
2017/02/27startguarantee.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27supplyheaven.gramsunshinesupply.club93.190.141.39Nebula
2017/02/27transportbomb.gramsunshinesupply.club93.190.141.39Nebula
2017/02/28afforddrill.xzv4rzuctndfo.club93.190.141.45Nebula
2017/02/28agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/02/28bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/02/28burglarsatin.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28certificationplanet.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28chooseravioli.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28coachadvantage.reportattackconifer.site93.190.141.39Nebula
2017/02/28databasesilver.reportattackconifer.site93.190.141.39Nebula
2017/02/28date-of-birthtrout.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28dependentswhorl.jsffu2zkt5va.trade93.190.141.45Nebula
2017/02/28derpenquiry.87692f31beea22522f1488df044e1dad.top93.190.141.45Nebula
2017/02/28domainconsider.mxkznekruoays.trade93.190.141.200Nebula
2017/03/01agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01authorparticle.390a20778a68d056c40908025df2fc4e.site93.190.141.45Nebula
2017/03/01bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/01bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02actressheight.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02agesword.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02applywholesaler.tboapfmsyu.stream93.190.141.200Nebula
2017/03/02approvepeak.knowledgedrugsaturday.club93.190.141.45Nebula
2017/03/02bakermagician.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02bombclick.alvdxq1l6n0o.stream93.190.141.166Nebula
2017/03/02borrowfield.77e1084e.pro93.190.141.45Nebula
2017/03/02boydescription.356020817786fb76e9361441800132c9.win93.190.141.39Nebula
2017/03/02buglecommand.textfatherfont.info93.190.141.39Nebula
2017/03/02buysummer.77e1084e.pro93.190.141.45Nebula
2017/03/02captaincertification.77e1084e.pro93.190.141.45Nebula
2017/03/02chargerule.textfatherfont.info93.190.141.39Nebula
2017/03/02cityacoustic.textfatherfont.info93.190.141.39Nebula
2017/03/02clickbarber.356020817786fb76e9361441800132c9.win93.190.141.39Nebula