Bye Empire, Hello Nebula Exploit Kit.

Nebula Logo

While Empire (RIG-E) disappeared at the end of December after 4 month of activity

Illustration of  the last month of witnessed Activity for Empire

on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

——
Selling EK Nebula
——
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon…)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h – 100$
7d – 600$
31d – 2000$

Jabber – nebula-support@xmpp.jp


Offering free tests to trusted users 
——

In same thread some screenshots were shared by a customer.

Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name "GamiNook" (illustration coming later) in Japan redirecting traffic to a variation of Sundown.
"GamiNook" redirecting to a Sundown Variation in Japan – 2017-02-17
Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) 
This Sundown variation was not so much different from the mainstream one.
No "index.php?" in the landing URI, different domain pattern but same landing, exploits, etc… Payload sent in clear (no rc4 encoding).
Digging more it appeared it was featuring an Internal TDS (as Empire). 
The same exact call would give you a different payload in France or in United Kingdom/Japan.
"GamiNook" traffic with geo in France – 2017-02-17
Identicall payload call gives you Gootkit instead of Pitou
Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.
At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).
So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.
The following days i saw other actor sending traffic to this EK.
Taxonomy tied to Nebula Activity in MISP – 2017-03-02
Taxonomy tied to GamiNook traffic activity, EK and resulting payload
Today URI pattern changed from this morning :
/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S–Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN
(which is Sundown/Beps without the index.php) to

/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination



(for those who would like to build their regexp, more pattern available here :  https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )


2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA – 2017-03-02
This landing pattern change triggered the publication of this post. Nebula might end up not being a "vapor" EK but let’s wait and see. The only difference with Sundown till today was its internal TDS.
Exploits (medium confidence – might be updated ):
CVE-2014-6332 + CVE-2015-0016
CVE-2016-0189 godmode
CVE-2014-8439
CVE-2015-7645
CVE-2016-4117
Files:  Nebula_2017-03-02 (2 fiddler – password is malware)
Acknowledgement :
Thanks Joseph C Chen (Trendmicro),  Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.
Some IOCs
Date Sha256 Comment
2017/02/17 f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5 Flash Exploit (probably CVE-2014-8439)
2017/02/27 be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2ecc Flash Exploit (probably CVE-2014-8439)
2017/02/17 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 Flash Exploit (Probably CVE-2015-7645 Sample seen previously in Sundown)
2017/02/17 04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c Flash Exploit (Probably CVE-2016-4117 Sample seen previously in Sundown)
2017/02/17 b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315c Pitou
2017/02/17 6fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8 Gootkit
2017/02/22 1a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64b Ramnit
2017/03/02 6764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4a DiamondFox
Date Domain IP Comment
2017/02/17 tci.nhnph.com 188.209.49.135 Nebula Payload Domain
2017/02/22 gnd.lplwp.com 188.209.49.135 Nebula Payload Domain
2017/02/24 qcl.ylk8.xyz 188.209.49.23 Nebula Payload Domain
2017/02/28 hmn.losssubwayquilt.pw 93.190.141.166 Nebula Payload Domain
2017/03/02 qgg.losssubwayquilt.pw 93.190.141.166 Nebula Payload Domain
2017/02/17 agendawedge.shoemakerzippersuccess.stream 188.209.49.135 Nebula
2017/02/17 clausmessage.nationweekretailer.club 217.23.7.15 Nebula
2017/02/17 equipmentparticle.shockadvantagewilderness.club 217.23.7.15 Nebula
2017/02/17 salaryfang.shockadvantagewilderness.club 217.23.7.15 Nebula
2017/02/22 deficitshoulder.lossicedeficit.pw 188.209.49.135 Nebula
2017/02/22 distributionjaw.hockeyopiniondust.club 188.209.49.135 Nebula
2017/02/22 explanationlier.asiadeliveryarmenian.pro 188.209.49.135 Nebula
2017/02/23 cowchange.distributionstatementdiploma.site 188.209.49.151 Nebula
2017/02/23 instructionscomposition.pheasantmillisecondenvironment.stream 188.209.49.151 Nebula
2017/02/23 paymentceramic.pheasantmillisecondenvironment.stream 188.209.49.151 Nebula
2017/02/23 soldierprice.distributionstatementdiploma.site 188.209.49.135 Nebula
2017/02/23 swissfacilities.gumimprovementitalian.stream 188.209.49.135 Nebula
2017/02/23 transportdrill.facilitiesturkishdipstick.info 188.209.49.135 Nebula
2017/02/24 authorisationmessage.casdfble.stream 188.209.49.151 Nebula
2017/02/24 cowchange.distributionstatementdiploma.site 188.209.49.151 Nebula
2017/02/24 departmentant.distributionstatementdiploma.site 188.209.49.151 Nebula
2017/02/24 disadvantageproduction.brassreductionquill.site 188.209.49.151 Nebula
2017/02/24 disadvantageproduction.casdfble.stream 188.209.49.151 Nebula
2017/02/24 europin.pedestrianpathexplanation.info 188.209.49.151 Nebula
2017/02/24 hygienicreduction.brassreductionquill.site 188.209.49.151 Nebula
2017/02/24 hygienicreduction.casdfble.stream 188.209.49.151 Nebula
2017/02/24 instructionscomposition.pheasantmillisecondenvironment.stream 188.209.49.151 Nebula
2017/02/24 jobhate.pedestrianpathexplanation.info 188.209.49.151 Nebula
2017/02/24 limitsphere.pheasantmillisecondenvironment.stream 188.209.49.151 Nebula
2017/02/24 paymentceramic.pheasantmillisecondenvironment.stream 188.209.49.151 Nebula
2017/02/24 penaltyinternet.asiadeliveryarmenian.pro 188.209.49.151 Nebula
2017/02/24 phonefall.asiadeliveryarmenian.pro 188.209.49.151 Nebula
2017/02/24 printeroutput.pheasantmillisecondenvironment.stream 188.209.49.151 Nebula
2017/02/24 redrepairs.distributionstatementdiploma.site 188.209.49.151 Nebula
2017/02/24 soldierprice.distributionstatementdiploma.site 188.209.49.151 Nebula
2017/02/24 suggestionburn.distributionstatementdiploma.site 188.209.49.151 Nebula
2017/02/25 advertiselaura.bubblecomparisonwar.top 188.209.49.49 Nebula
2017/02/25 apologycattle.gramsunshinesupply.club 188.209.49.151 Nebula
2017/02/25 apologycattle.gramsunshinesupply.club 188.209.49.49 Nebula
2017/02/25 apologycattle.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/25 apologycold.shearssuccessberry.club 188.209.49.151 Nebula
2017/02/25 authorizationmale.foundationspadeinventory.club 188.209.49.151 Nebula
2017/02/25 birthdayexperience.foundationspadeinventory.club 188.209.49.151 Nebula
2017/02/25 confirmationaustralian.retaileraugustplier.club 188.209.49.151 Nebula
2017/02/25 dancerretailer.shearssuccessberry.club 188.209.49.151 Nebula
2017/02/25 employergoods.deliverycutadvantage.info 188.209.49.151 Nebula
2017/02/25 fallhippopotamus.deliverycutadvantage.info 188.209.49.151 Nebula
2017/02/25 goallicense.shearssuccessberry.club 188.209.49.151 Nebula
2017/02/25 goalpanda.retaileraugustplier.club 188.209.49.151 Nebula
2017/02/25 holidayagenda.retaileraugustplier.club 188.209.49.151 Nebula
2017/02/25 marketsunday.deliverycutadvantage.info 188.209.49.151 Nebula
2017/02/25 penaltyinternet.asiadeliveryarmenian.pro 188.209.49.151 Nebula
2017/02/25 phonefall.asiadeliveryarmenian.pro 188.209.49.151 Nebula
2017/02/25 purposeguarantee.shearssuccessberry.club 188.209.49.151 Nebula
2017/02/25 rainstormpromotion.gramsunshinesupply.club 188.209.49.151 Nebula
2017/02/25 rainstormpromotion.gramsunshinesupply.club 188.209.49.49 Nebula
2017/02/25 rainstormpromotion.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/25 rollinterest.asiadeliveryarmenian.pro 188.209.49.151 Nebula
2017/02/25 startguarantee.gramsunshinesupply.club 188.209.49.151 Nebula
2017/02/25 startguarantee.gramsunshinesupply.club 188.209.49.49 Nebula
2017/02/26 advantagelamp.numberdeficitc-clamp.site 93.190.141.39 Nebula
2017/02/26 apologycattle.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/26 budgetdegree.maskobjectivebiplane.trade 93.190.141.200 Nebula
2017/02/26 competitionseason.numberdeficitc-clamp.site 93.190.141.39 Nebula
2017/02/26 customergazelle.cyclonesoybeanpossibility.bid 93.190.141.39 Nebula
2017/02/26 decembercommission.divingfuelsalary.trade 93.190.141.200 Nebula
2017/02/26 distributionfile.edgetaxprice.site 93.190.141.45 Nebula
2017/02/26 equipmentwitness.maskobjectivebiplane.trade 93.190.141.200 Nebula
2017/02/26 invoiceburst.cyclonesoybeanpossibility.bid 93.190.141.39 Nebula
2017/02/26 invoicegosling.edgetaxprice.site 93.190.141.45 Nebula
2017/02/26 jailreduction.edgetaxprice.site 93.190.141.45 Nebula
2017/02/26 rainstormpromotion.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/26 startguarantee.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/27 afforddrill.xzv4rzuctndfo.club 93.190.141.45 Nebula
2017/02/27 approveriver.jsffu2zkt5va.trade 93.190.141.45 Nebula
2017/02/27 burglarsatin.jsffu2zkt5va.trade 93.190.141.45 Nebula
2017/02/27 distributionfile.edgetaxprice.site 93.190.141.45 Nebula
2017/02/27 invoicegosling.edgetaxprice.site 93.190.141.45 Nebula
2017/02/27 jailreduction.edgetaxprice.site 93.190.141.45 Nebula
2017/02/27 lipprice.edgetaxprice.site 93.190.141.45 Nebula
2017/02/27 marginswiss.divingfuelsalary.trade 93.190.141.200 Nebula
2017/02/27 outputfruit.divingfuelsalary.trade 93.190.141.200 Nebula
2017/02/27 rainstormpromotion.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/27 reindeerprofit.divingfuelsalary.trade 93.190.141.200 Nebula
2017/02/27 reminderdonna.divingfuelsalary.trade 93.190.141.200 Nebula
2017/02/27 startguarantee.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/27 supplyheaven.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/27 transportbomb.gramsunshinesupply.club 93.190.141.39 Nebula
2017/02/28 afforddrill.xzv4rzuctndfo.club 93.190.141.45 Nebula
2017/02/28 agesword.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/02/28 authorparticle.390a20778a68d056c40908025df2fc4e.site 93.190.141.45 Nebula
2017/02/28 bakermagician.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/02/28 bombclick.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/02/28 burglarsatin.jsffu2zkt5va.trade 93.190.141.45 Nebula
2017/02/28 certificationplanet.87692f31beea22522f1488df044e1dad.top 93.190.141.45 Nebula
2017/02/28 chooseravioli.87692f31beea22522f1488df044e1dad.top 93.190.141.45 Nebula
2017/02/28 coachadvantage.reportattackconifer.site 93.190.141.39 Nebula
2017/02/28 databasesilver.reportattackconifer.site 93.190.141.39 Nebula
2017/02/28 date-of-birthtrout.87692f31beea22522f1488df044e1dad.top 93.190.141.45 Nebula
2017/02/28 dependentswhorl.jsffu2zkt5va.trade 93.190.141.45 Nebula
2017/02/28 derpenquiry.87692f31beea22522f1488df044e1dad.top 93.190.141.45 Nebula
2017/02/28 domainconsider.mxkznekruoays.trade 93.190.141.200 Nebula
2017/03/01 agesword.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/03/01 authorparticle.390a20778a68d056c40908025df2fc4e.site 93.190.141.45 Nebula
2017/03/01 bakermagician.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/03/01 bombclick.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/03/02 actressheight.knowledgedrugsaturday.club 93.190.141.45 Nebula
2017/03/02 agesword.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/03/02 applywholesaler.tboapfmsyu.stream 93.190.141.200 Nebula
2017/03/02 approvepeak.knowledgedrugsaturday.club 93.190.141.45 Nebula
2017/03/02 bakermagician.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/03/02 bombclick.alvdxq1l6n0o.stream 93.190.141.166 Nebula
2017/03/02 borrowfield.77e1084e.pro 93.190.141.45 Nebula
2017/03/02 boydescription.356020817786fb76e9361441800132c9.win 93.190.141.39 Nebula
2017/03/02 buglecommand.textfatherfont.info 93.190.141.39 Nebula
2017/03/02 buysummer.77e1084e.pro 93.190.141.45 Nebula
2017/03/02 captaincertification.77e1084e.pro 93.190.141.45 Nebula
2017/03/02 chargerule.textfatherfont.info 93.190.141.39 Nebula
2017/03/02 cityacoustic.textfatherfont.info 93.190.141.39 Nebula
2017/03/02 clickbarber.356020817786fb76e9361441800132c9.win 93.190.141.39 Nebula

Source: Malware don’t need Coffee @ March 2, 2017 at 02:17PM

0
Share