One of the interesting events of the past couple of weeks is the re-emergence – if it ever really was gone, which I think we can agree it was not – of the Nuclear exploit kit (NEK). Another is the increasing emphasis by the adversary on malvertising. Both of these are worth examining in this posting. The question, of course, is, is there a convergence between these two? While ransomware was much in evidence, it deserves some time to itself so we will take that up in a (not-too-distant) future posting. I will point out, though, that NEK is a primary distribution vector for the latest version of CryptoWall, CW 4.0. That makes NEK pretty important. A network analysis of the relationships between these entities – and several others – is in Figure 1.
Figure 1 – Relationship Analysis of Ransomware, NEK and Malvertising
A word about this map – or network view – is in order since I will use this frequently to illustrate important connections between various entities that we will discuss in future postings. This is not a true link analysis map. However, it shows the relationships between entities as tracked in Internet media. Sources – besides traditional on-line publications – include blogs, microblogs and published reports as well as social media. This is strictly a measure of the “heat” of a topic on-line and is only one of our resources. However, it is an important one because it gives us pointers to critical information about our particular research topic and it shows very clearly the relationships involved. In short, this resource is so important because it provides context for everything else we examine.
According to Threatpost writer Michael Mimosa (November 25, 2015, 7:00 am) NEK has begun spreading Cryptowall 4.0 through the efforts of an actor using the China ISP bizCN.com. OpenDNS shows that – as of 29 November 2015 – there are at least 330 suspicious/malicious domains hosted in that ISP's ASN (133775). The following IP blocks are of particular interest if you are blocking IPs:
· 218.5.72.0/21
· 218.85.136.0/22
· 117.28.254.0/23
· 120.41.32.0/20
· 125.77.192.0/21
· 218.85.132.0/22
· 117.25.128.0/19
· 222.76.208.0/20
An excellent technical description by Brad Duncan at the Internet Storm Center (see https://isc.sans.edu/diary/BizCN+gate+actor+sends+CryptoWall+4.0/20409) is available for those who want to see the internals of the attack.
One of the providers of the NEK is an actor going by the handle of msb. He has added an Adobe buffer overflow to the kit making the NEK dangerous to systems with the following vulnerabilities:
· CVE-2010-0188
· CVE-2013-0074
· CVE-2013-2551
· CVE-2013-7331
· CVE-2014-0515
· CVE-2014-0556
· CVE-2014-0569
I leave it to you to research the vulnerabilities and apply what you find to your enterprise. msb rents his NEK at rates that can buy up to 600 hits per minute. He provides the domains, presumably bullet-proof hosts.
Nuclear Exploit Kit – around in one form or other since 2009 and still in wide use - is a downloader so its job is to download some other piece of malware. Historically, NEK has been delivered by the Andromeda bot net, a dropper that has been around since 2011. NEK, of course, is not the only malware spread by Andromeda. However, in March of this year actor shabir announced that he was adding a resident loader to Andromeda and was working with ar3s, the actor who created Andromeda originally. In his sales posting, shabir said, “On the basis of this product, you can build a botnet with infinitely diverse opportunities.” This information is usually reliable and probably true according to my resource.
Why does all of this history matter? As you set up your AV tools you should be aware that these malwares are morphing and that your anti-malware program may not catch everything. It often is a good idea to have multiple AV products for this reason. Also, it is useful to know the components of a given attack so that you can check for all of them. While they may seem to be individuals, in reality where one of these exists there is a good possibility one or more of the others do too. When you find your enterprise infected with CryptoWall 4.0, therefore, when cleaning up – to avoid a recurrence - you need to find out how it got on your enterprise in the first place.
Knowing a bit about the interactions of the actors involved can help with that. And what about malvertising? Well, that is a frequent primary infection vector, especially for NEK.
So…. Until next time….
--Dr. S