Nebula Logo |
While Empire (RIG-E) disappeared at the end of December after 4 months of activity
Illustration of the last month of witnessed Activity for Empire |
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.
——
Selling EK Nebula
——
Nebula Exploit kit
Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon…)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support
Subscriptions:
24h – 100$
7d – 600$
31d – 2000$
Jabber – nebula-support@xmpp.jp
Offering free tests to trusted users
——
In same thread some screenshots were shared by a customer.
“GamiNook” redirecting to a Sundown Variation in Japan – 2017-02-17 Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) |
“GamiNook” traffic with geo in France – 2017-02-17 Identicall payload call gives you Gootkit instead of Pitou Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6) |
Taxonomy tied to Nebula Activity in MISP – 2017-03-02 |
Taxonomy tied to GamiNook traffic activity, EK and resulting payload |
(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )
2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA – 2017-03-02 |
CVE-2013-2551
2017-03-03 Corrected some CVE id + not all payload are in clear
—
Date | Sha256 | Comment |
---|---|---|
2017/02/17 | f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5 | Flash Exploit (CVE-2016-4117) |
2017/02/27 | be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2ecc | Flash Exploit (CVE-2016-4117) |
2017/02/17 | 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 | Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown) |
2017/02/17 | 04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c | Flash Exploit (CVE-2015-8651 Sample seen previously in Sundown) |
2017/02/17 | b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315c | Pitou |
2017/02/17 | 6fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8 | Gootkit |
2017/02/22 | 1a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64b | Ramnit |
2017/03/02 | 6764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4a | DiamondFox |
Date | Domain | IP | Comment |
---|---|---|---|
2017/02/17 | tci.nhnph.com | 188.209.49.135 | Nebula Payload Domain |
2017/02/22 | gnd.lplwp.com | 188.209.49.135 | Nebula Payload Domain |
2017/02/24 | qcl.ylk8.xyz | 188.209.49.23 | Nebula Payload Domain |
2017/02/28 | hmn.losssubwayquilt.pw | 93.190.141.166 | Nebula Payload Domain |
2017/03/02 | qgg.losssubwayquilt.pw | 93.190.141.166 | Nebula Payload Domain |
2017/02/17 | agendawedge.shoemakerzippersuccess.stream | 188.209.49.135 | Nebula |
2017/02/17 | clausmessage.nationweekretailer.club | 217.23.7.15 | Nebula |
2017/02/17 | equipmentparticle.shockadvantagewilderness.club | 217.23.7.15 | Nebula |
2017/02/17 | salaryfang.shockadvantagewilderness.club | 217.23.7.15 | Nebula |
2017/02/22 | deficitshoulder.lossicedeficit.pw | 188.209.49.135 | Nebula |
2017/02/22 | distributionjaw.hockeyopiniondust.club | 188.209.49.135 | Nebula |
2017/02/22 | explanationlier.asiadeliveryarmenian.pro | 188.209.49.135 | Nebula |
2017/02/23 | cowchange.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
2017/02/23 | instructionscomposition.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
2017/02/23 | paymentceramic.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
2017/02/23 | soldierprice.distributionstatementdiploma.site | 188.209.49.135 | Nebula |
2017/02/23 | swissfacilities.gumimprovementitalian.stream | 188.209.49.135 | Nebula |
2017/02/23 | transportdrill.facilitiesturkishdipstick.info | 188.209.49.135 | Nebula |
2017/02/24 | authorisationmessage.casdfble.stream | 188.209.49.151 | Nebula |
2017/02/24 | cowchange.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
2017/02/24 | departmentant.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
2017/02/24 | disadvantageproduction.brassreductionquill.site | 188.209.49.151 | Nebula |
2017/02/24 | disadvantageproduction.casdfble.stream | 188.209.49.151 | Nebula |
2017/02/24 | europin.pedestrianpathexplanation.info | 188.209.49.151 | Nebula |
2017/02/24 | hygienicreduction.brassreductionquill.site | 188.209.49.151 | Nebula |
2017/02/24 | hygienicreduction.casdfble.stream | 188.209.49.151 | Nebula |
2017/02/24 | instructionscomposition.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
2017/02/24 | jobhate.pedestrianpathexplanation.info | 188.209.49.151 | Nebula |
2017/02/24 | limitsphere.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
2017/02/24 | paymentceramic.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
2017/02/24 | penaltyinternet.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
2017/02/24 | phonefall.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
2017/02/24 | printeroutput.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
2017/02/24 | redrepairs.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
2017/02/24 | soldierprice.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
2017/02/24 | suggestionburn.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
2017/02/25 | advertiselaura.bubblecomparisonwar.top | 188.209.49.49 | Nebula |
2017/02/25 | apologycattle.gramsunshinesupply.club | 188.209.49.151 | Nebula |
2017/02/25 | apologycattle.gramsunshinesupply.club | 188.209.49.49 | Nebula |
2017/02/25 | apologycattle.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/25 | apologycold.shearssuccessberry.club | 188.209.49.151 | Nebula |
2017/02/25 | authorizationmale.foundationspadeinventory.club | 188.209.49.151 | Nebula |
2017/02/25 | birthdayexperience.foundationspadeinventory.club | 188.209.49.151 | Nebula |
2017/02/25 | confirmationaustralian.retaileraugustplier.club | 188.209.49.151 | Nebula |
2017/02/25 | dancerretailer.shearssuccessberry.club | 188.209.49.151 | Nebula |
2017/02/25 | employergoods.deliverycutadvantage.info | 188.209.49.151 | Nebula |
2017/02/25 | fallhippopotamus.deliverycutadvantage.info | 188.209.49.151 | Nebula |
2017/02/25 | goallicense.shearssuccessberry.club | 188.209.49.151 | Nebula |
2017/02/25 | goalpanda.retaileraugustplier.club | 188.209.49.151 | Nebula |
2017/02/25 | holidayagenda.retaileraugustplier.club | 188.209.49.151 | Nebula |
2017/02/25 | marketsunday.deliverycutadvantage.info | 188.209.49.151 | Nebula |
2017/02/25 | penaltyinternet.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
2017/02/25 | phonefall.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
2017/02/25 | purposeguarantee.shearssuccessberry.club | 188.209.49.151 | Nebula |
2017/02/25 | rainstormpromotion.gramsunshinesupply.club | 188.209.49.151 | Nebula |
2017/02/25 | rainstormpromotion.gramsunshinesupply.club | 188.209.49.49 | Nebula |
2017/02/25 | rainstormpromotion.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/25 | rollinterest.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
2017/02/25 | startguarantee.gramsunshinesupply.club | 188.209.49.151 | Nebula |
2017/02/25 | startguarantee.gramsunshinesupply.club | 188.209.49.49 | Nebula |
2017/02/26 | advantagelamp.numberdeficitc-clamp.site | 93.190.141.39 | Nebula |
2017/02/26 | apologycattle.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/26 | budgetdegree.maskobjectivebiplane.trade | 93.190.141.200 | Nebula |
2017/02/26 | competitionseason.numberdeficitc-clamp.site | 93.190.141.39 | Nebula |
2017/02/26 | customergazelle.cyclonesoybeanpossibility.bid | 93.190.141.39 | Nebula |
2017/02/26 | decembercommission.divingfuelsalary.trade | 93.190.141.200 | Nebula |
2017/02/26 | distributionfile.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/26 | equipmentwitness.maskobjectivebiplane.trade | 93.190.141.200 | Nebula |
2017/02/26 | invoiceburst.cyclonesoybeanpossibility.bid | 93.190.141.39 | Nebula |
2017/02/26 | invoicegosling.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/26 | jailreduction.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/26 | rainstormpromotion.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/26 | startguarantee.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/27 | afforddrill.xzv4rzuctndfo.club | 93.190.141.45 | Nebula |
2017/02/27 | approveriver.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
2017/02/27 | burglarsatin.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
2017/02/27 | distributionfile.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/27 | invoicegosling.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/27 | jailreduction.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/27 | lipprice.edgetaxprice.site | 93.190.141.45 | Nebula |
2017/02/27 | marginswiss.divingfuelsalary.trade | 93.190.141.200 | Nebula |
2017/02/27 | outputfruit.divingfuelsalary.trade | 93.190.141.200 | Nebula |
2017/02/27 | rainstormpromotion.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/27 | reindeerprofit.divingfuelsalary.trade | 93.190.141.200 | Nebula |
2017/02/27 | reminderdonna.divingfuelsalary.trade | 93.190.141.200 | Nebula |
2017/02/27 | startguarantee.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/27 | supplyheaven.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/27 | transportbomb.gramsunshinesupply.club | 93.190.141.39 | Nebula |
2017/02/28 | afforddrill.xzv4rzuctndfo.club | 93.190.141.45 | Nebula |
2017/02/28 | agesword.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/02/28 | authorparticle.390a20778a68d056c40908025df2fc4e.site | 93.190.141.45 | Nebula |
2017/02/28 | bakermagician.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/02/28 | bombclick.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/02/28 | burglarsatin.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
2017/02/28 | certificationplanet.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
2017/02/28 | chooseravioli.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
2017/02/28 | coachadvantage.reportattackconifer.site | 93.190.141.39 | Nebula |
2017/02/28 | databasesilver.reportattackconifer.site | 93.190.141.39 | Nebula |
2017/02/28 | date-of-birthtrout.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
2017/02/28 | dependentswhorl.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
2017/02/28 | derpenquiry.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
2017/02/28 | domainconsider.mxkznekruoays.trade | 93.190.141.200 | Nebula |
2017/03/01 | agesword.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/03/01 | authorparticle.390a20778a68d056c40908025df2fc4e.site | 93.190.141.45 | Nebula |
2017/03/01 | bakermagician.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/03/01 | bombclick.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/03/02 | actressheight.knowledgedrugsaturday.club | 93.190.141.45 | Nebula |
2017/03/02 | agesword.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/03/02 | applywholesaler.tboapfmsyu.stream | 93.190.141.200 | Nebula |
2017/03/02 | approvepeak.knowledgedrugsaturday.club | 93.190.141.45 | Nebula |
2017/03/02 | bakermagician.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/03/02 | bombclick.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
2017/03/02 | borrowfield.77e1084e.pro | 93.190.141.45 | Nebula |
2017/03/02 | boydescription.356020817786fb76e9361441800132c9.win | 93.190.141.39 | Nebula |
2017/03/02 | buglecommand.textfatherfont.info | 93.190.141.39 | Nebula |
2017/03/02 | buysummer.77e1084e.pro | 93.190.141.45 | Nebula |
2017/03/02 | captaincertification.77e1084e.pro | 93.190.141.45 | Nebula |
2017/03/02 | chargerule.textfatherfont.info | 93.190.141.39 | Nebula |
2017/03/02 | cityacoustic.textfatherfont.info | 93.190.141.39 | Nebula |
2017/03/02 | clickbarber.356020817786fb76e9361441800132c9.win | 93.190.141.39 | Nebula |
MDNC | Malware don’t need Coffee