 |
| Nebula Logo |
While Empire (RIG-E) disappeared at the end of December after 4 months of activity
 |
| Illustration of the last month of witnessed Activity for Empire |
on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.
——
Selling EK Nebula
——
Nebula Exploit kit
Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon…)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support
Subscriptions:
24h – 100$
7d – 600$
31d – 2000$
Jabber – nebula-support@xmpp.jp
Offering free tests to trusted users
——
In same thread some screenshots were shared by a customer.
Earlier that same day, colleagues at Trendmicro told me they were seeing activity from a group we are following under the name “GamiNook” (illustration coming later) in Japan redirecting traffic to a variation of Sundown.
 |
|
| “GamiNook” redirecting to a Sundown Variation in Japan – 2017-02-17 Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 ) |
This Sundown variation was not so much different from the mainstream one.
No “index.php?” in the landing URI, different domain pattern but same landing, exploits, etc… Some payload sent in clear (01.php) other RC4 encoded (00.php) as for Sundown.
Digging more it appeared it was featuring an Internal TDS (as Empire).
The same exact call would give you a different payload in France or in United Kingdom/Japan.
 |
| “GamiNook” traffic with geo in France – 2017-02-17 Identicall payload call gives you Gootkit instead of Pitou Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6) |
Note: to be sure that the payload difference is tied to Geo and not time based (rotation or operator changing it ) you need to make at least a third pass with first Geo and ensure dropped sample is identical as in first pass.
At that point you can only suspect this Sundown variant might be Nebula (even if clues are multiple, a funny one being that the traffic illustrated in the advert thread is quite inline with the one captured in France).
So I was naming that variation: Sundown-N. Intel shared by Frank Ruiz (FoxIT) on the 21st allowed me to know for sure this traffic was indeed Nebula.
The following days i saw other actor sending traffic to this EK.
 |
| Taxonomy tied to Nebula Activity in MISP – 2017-03-02 |
 |
| Taxonomy tied to GamiNook traffic activity, EK and resulting payload |
Today URI pattern changed from this morning :
/?yWnuAH-XgstCZ3E=tCi6ZGr10KUDHiaOgKVNolmBgpc3rkRp-weok1A2JV-gkpS0luBwQDdM
/?yXy3HX2F=tCu_Mj322aEBSXjYhatLoVmBgZJh_0Fg_wX_zQYxIg6nksDowOciFzNB
/?yXzbGV2jkcB_eU8=4ya6MDz31KdQTi7ahapLolnWjJdj_EJt-VT4mwQxIQ6gksTllrB3EGRM
/?ykjaKniEk6ZhH1-P=si-8YGj_1aANTynfh6Ye81mHhZE0_RNs_gn5nAExcV6okpTknOQgEmNN
/?z0vDa0iBu-Q=tHnqNT_-1KcGGCzfhqVKoVmB08dm_BJt-QKumQEwJA2nksGyk-QhQDRA
/?z13qMVqqoKRvTw=5S–Y2uk0apQGiyOhvdI81nQhZMwqxVo9FSsmVAyIgiokpPnl-V0QDIf
/?z1fECTiT=sy7tYmz206FUGCvagKpK9VmGhMAxrxZq_1CungQwdF71ksDowOciFzNB
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksTllrB3EGRM
/?zVnra0OCs9k=syjqMjel06ADFHuP0qNKolmGgsdh9BZq_geizlFkcQ2gksW2w7QsRTIf
/?zWnBFniM=4Ca9Zjej0PRTGC3e06FJp1nVjJA1rBRpqleumABkJF2hksTllrB3EGRM
/?zn3iKU_xjeNxWw=sHu7MTry2aoAFCyKgKUY8FmF0ZZi_kFg9ASimVQ2cl-lksTllrB3EGRM
/?zy3jN0Gvi9RjY02F2g=4H27Yjn-0_EBHSrc26MfoVnV15Yx-hJqrwWrnwJjcVqnkpTknOQgEmNN
(which is Sundown/Beps without the index.php) to
/86fb7c1b/showpost.php?s=af75b6af5d0f08cf675149da13b1d3e4&p=13&postcount=8
/641222267738845/thumb/6456dac5bc39ec7/comment_post.php?ice=bDaE06lCQU
/507728217866857/9ecc534d/bug_report/media/pr.php?id=b38cb0526f8cd52d878009d9f27be8f4
/gu/Strategy/qNXL8WmQ6G/rss.php?cat=MSFT
/moddata/a9/showpost.php?s=0d2d722e1a2a625b3ceb042daf966593&p=13&postcount=1
/2003/01/27/exchange-monday-wilderness
/46198923243328031687/applications/blockStyle.php?last-name=6419f08706689953783a59fa4faeb75c
/5wtYymZeVy/LKYcSFhKOi/showpost.php?s=2e3e8a3c3b6b00cd3033f8e20d174bf5&p=8&postcount=7
/2006/08/05/fur-copper-shark
/48396170957391254103/XD25OYwON1/showpost.php?s=abf72cd40a08463fad0b3d153da66cae&p=27&postcount=7
/tV9FnNwo4h/b303debe9a6305791b9cd16b1f10b91e/promotion.php?catid=h
/ef131fb2025525a/QLGWEFwfdh/550991586389812/core.write_file.php?lawyer=9H6UhvusOi
/aPKr0Oe5GV/23861001482170285181/showpost.php?s=e74b32ba071772d5b55f97159db2e998&p=2&postcount=1
/2/eb799e65a412b412ee63150944c7826d61cd7a544f7aa57029a9069698b4925b2068ed77dea8dc6210b933e3ecf1f35b/showthread.php?t=18024&page=14
/js/archives/3f635a090e73f9b/showthread.php?t=6636&page=18
/59cdf39001a623620bd7976a42dde55f190382060a264e21809fc51f/ff0a503d59ddb4d5e1fb663b6475dfe0ba08f0b84ce8692d/viewtopic.php?f=84&t=48361
/615147354246727/339824645925013/nqHgct4sEE/showthread.php?t=51299&page=20
/2012/04/22/present-measure-physical-examination
(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )
 |
| 2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA – 2017-03-02 |
This landing pattern change triggered the publication of this post. Nebula might end up not being a “vapor” EK but let’s wait and see. The only difference with Sundown till today was its internal TDS.
Exploits:
CVE-2014-6332 + CVE-2015-0016
CVE-2013-2551
CVE-2013-2551
CVE-2016-0189 godmode
CVE-2015-8651
CVE-2015-7645
CVE-2016-4117
Files: Nebula_2017-03-02 (2 fiddler – password is malware)
Acknowledgement :
Thanks Joseph C Chen and Brooks Li (Trendmicro), Frank Ruiz (Fox-IT InTELL) and Andrew Komarov ( InfoArmor Inc. ) for the help on different aspect of this post.
Edit:
2017-03-03 Corrected some CVE id + not all payload are in clear
—
2017-03-03 Corrected some CVE id + not all payload are in clear
—
Some IOCs
| Date | Sha256 | Comment |
|---|---|---|
| 2017/02/17 | f4627005c018071f8ec6b084eef3936e3a267660b0df99ffa0d27a8d943d1af5 | Flash Exploit (CVE-2016-4117) |
| 2017/02/27 | be86dc88e6337f09999991c206f890e0d52959d41f2bb4c6515b5442b23f2ecc | Flash Exploit (CVE-2016-4117) |
| 2017/02/17 | 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 | Flash Exploit (CVE-2015-7645 Sample seen previously in Sundown) |
| 2017/02/17 | 04fb00bdd3d2c0667b18402323fe7cf495ace5e35a4562e1a30e14b26384f41c | Flash Exploit (CVE-2015-8651 Sample seen previously in Sundown) |
| 2017/02/17 | b976cf6fd583b349e51cb34b73de6ef3a5ee72f86849f847b9158b4a7fb2315c | Pitou |
| 2017/02/17 | 6fe13d913f4d3f2286f67fbde08ab17418ba8370410e52354ffa12a0aaf498f8 | Gootkit |
| 2017/02/22 | 1a22211d01d2e8746efe0d14ab7e1e547c3e30863a83e0884a9d90325bd7b64b | Ramnit |
| 2017/03/02 | 6764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4a | DiamondFox |
| Date | Domain | IP | Comment |
|---|---|---|---|
| 2017/02/17 | tci.nhnph.com | 188.209.49.135 | Nebula Payload Domain |
| 2017/02/22 | gnd.lplwp.com | 188.209.49.135 | Nebula Payload Domain |
| 2017/02/24 | qcl.ylk8.xyz | 188.209.49.23 | Nebula Payload Domain |
| 2017/02/28 | hmn.losssubwayquilt.pw | 93.190.141.166 | Nebula Payload Domain |
| 2017/03/02 | qgg.losssubwayquilt.pw | 93.190.141.166 | Nebula Payload Domain |
| 2017/02/17 | agendawedge.shoemakerzippersuccess.stream | 188.209.49.135 | Nebula |
| 2017/02/17 | clausmessage.nationweekretailer.club | 217.23.7.15 | Nebula |
| 2017/02/17 | equipmentparticle.shockadvantagewilderness.club | 217.23.7.15 | Nebula |
| 2017/02/17 | salaryfang.shockadvantagewilderness.club | 217.23.7.15 | Nebula |
| 2017/02/22 | deficitshoulder.lossicedeficit.pw | 188.209.49.135 | Nebula |
| 2017/02/22 | distributionjaw.hockeyopiniondust.club | 188.209.49.135 | Nebula |
| 2017/02/22 | explanationlier.asiadeliveryarmenian.pro | 188.209.49.135 | Nebula |
| 2017/02/23 | cowchange.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
| 2017/02/23 | instructionscomposition.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
| 2017/02/23 | paymentceramic.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
| 2017/02/23 | soldierprice.distributionstatementdiploma.site | 188.209.49.135 | Nebula |
| 2017/02/23 | swissfacilities.gumimprovementitalian.stream | 188.209.49.135 | Nebula |
| 2017/02/23 | transportdrill.facilitiesturkishdipstick.info | 188.209.49.135 | Nebula |
| 2017/02/24 | authorisationmessage.casdfble.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | cowchange.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
| 2017/02/24 | departmentant.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
| 2017/02/24 | disadvantageproduction.brassreductionquill.site | 188.209.49.151 | Nebula |
| 2017/02/24 | disadvantageproduction.casdfble.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | europin.pedestrianpathexplanation.info | 188.209.49.151 | Nebula |
| 2017/02/24 | hygienicreduction.brassreductionquill.site | 188.209.49.151 | Nebula |
| 2017/02/24 | hygienicreduction.casdfble.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | instructionscomposition.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | jobhate.pedestrianpathexplanation.info | 188.209.49.151 | Nebula |
| 2017/02/24 | limitsphere.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | paymentceramic.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | penaltyinternet.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
| 2017/02/24 | phonefall.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
| 2017/02/24 | printeroutput.pheasantmillisecondenvironment.stream | 188.209.49.151 | Nebula |
| 2017/02/24 | redrepairs.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
| 2017/02/24 | soldierprice.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
| 2017/02/24 | suggestionburn.distributionstatementdiploma.site | 188.209.49.151 | Nebula |
| 2017/02/25 | advertiselaura.bubblecomparisonwar.top | 188.209.49.49 | Nebula |
| 2017/02/25 | apologycattle.gramsunshinesupply.club | 188.209.49.151 | Nebula |
| 2017/02/25 | apologycattle.gramsunshinesupply.club | 188.209.49.49 | Nebula |
| 2017/02/25 | apologycattle.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/25 | apologycold.shearssuccessberry.club | 188.209.49.151 | Nebula |
| 2017/02/25 | authorizationmale.foundationspadeinventory.club | 188.209.49.151 | Nebula |
| 2017/02/25 | birthdayexperience.foundationspadeinventory.club | 188.209.49.151 | Nebula |
| 2017/02/25 | confirmationaustralian.retaileraugustplier.club | 188.209.49.151 | Nebula |
| 2017/02/25 | dancerretailer.shearssuccessberry.club | 188.209.49.151 | Nebula |
| 2017/02/25 | employergoods.deliverycutadvantage.info | 188.209.49.151 | Nebula |
| 2017/02/25 | fallhippopotamus.deliverycutadvantage.info | 188.209.49.151 | Nebula |
| 2017/02/25 | goallicense.shearssuccessberry.club | 188.209.49.151 | Nebula |
| 2017/02/25 | goalpanda.retaileraugustplier.club | 188.209.49.151 | Nebula |
| 2017/02/25 | holidayagenda.retaileraugustplier.club | 188.209.49.151 | Nebula |
| 2017/02/25 | marketsunday.deliverycutadvantage.info | 188.209.49.151 | Nebula |
| 2017/02/25 | penaltyinternet.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
| 2017/02/25 | phonefall.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
| 2017/02/25 | purposeguarantee.shearssuccessberry.club | 188.209.49.151 | Nebula |
| 2017/02/25 | rainstormpromotion.gramsunshinesupply.club | 188.209.49.151 | Nebula |
| 2017/02/25 | rainstormpromotion.gramsunshinesupply.club | 188.209.49.49 | Nebula |
| 2017/02/25 | rainstormpromotion.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/25 | rollinterest.asiadeliveryarmenian.pro | 188.209.49.151 | Nebula |
| 2017/02/25 | startguarantee.gramsunshinesupply.club | 188.209.49.151 | Nebula |
| 2017/02/25 | startguarantee.gramsunshinesupply.club | 188.209.49.49 | Nebula |
| 2017/02/26 | advantagelamp.numberdeficitc-clamp.site | 93.190.141.39 | Nebula |
| 2017/02/26 | apologycattle.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/26 | budgetdegree.maskobjectivebiplane.trade | 93.190.141.200 | Nebula |
| 2017/02/26 | competitionseason.numberdeficitc-clamp.site | 93.190.141.39 | Nebula |
| 2017/02/26 | customergazelle.cyclonesoybeanpossibility.bid | 93.190.141.39 | Nebula |
| 2017/02/26 | decembercommission.divingfuelsalary.trade | 93.190.141.200 | Nebula |
| 2017/02/26 | distributionfile.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/26 | equipmentwitness.maskobjectivebiplane.trade | 93.190.141.200 | Nebula |
| 2017/02/26 | invoiceburst.cyclonesoybeanpossibility.bid | 93.190.141.39 | Nebula |
| 2017/02/26 | invoicegosling.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/26 | jailreduction.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/26 | rainstormpromotion.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/26 | startguarantee.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/27 | afforddrill.xzv4rzuctndfo.club | 93.190.141.45 | Nebula |
| 2017/02/27 | approveriver.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
| 2017/02/27 | burglarsatin.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
| 2017/02/27 | distributionfile.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/27 | invoicegosling.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/27 | jailreduction.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/27 | lipprice.edgetaxprice.site | 93.190.141.45 | Nebula |
| 2017/02/27 | marginswiss.divingfuelsalary.trade | 93.190.141.200 | Nebula |
| 2017/02/27 | outputfruit.divingfuelsalary.trade | 93.190.141.200 | Nebula |
| 2017/02/27 | rainstormpromotion.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/27 | reindeerprofit.divingfuelsalary.trade | 93.190.141.200 | Nebula |
| 2017/02/27 | reminderdonna.divingfuelsalary.trade | 93.190.141.200 | Nebula |
| 2017/02/27 | startguarantee.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/27 | supplyheaven.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/27 | transportbomb.gramsunshinesupply.club | 93.190.141.39 | Nebula |
| 2017/02/28 | afforddrill.xzv4rzuctndfo.club | 93.190.141.45 | Nebula |
| 2017/02/28 | agesword.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/02/28 | authorparticle.390a20778a68d056c40908025df2fc4e.site | 93.190.141.45 | Nebula |
| 2017/02/28 | bakermagician.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/02/28 | bombclick.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/02/28 | burglarsatin.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
| 2017/02/28 | certificationplanet.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
| 2017/02/28 | chooseravioli.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
| 2017/02/28 | coachadvantage.reportattackconifer.site | 93.190.141.39 | Nebula |
| 2017/02/28 | databasesilver.reportattackconifer.site | 93.190.141.39 | Nebula |
| 2017/02/28 | date-of-birthtrout.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
| 2017/02/28 | dependentswhorl.jsffu2zkt5va.trade | 93.190.141.45 | Nebula |
| 2017/02/28 | derpenquiry.87692f31beea22522f1488df044e1dad.top | 93.190.141.45 | Nebula |
| 2017/02/28 | domainconsider.mxkznekruoays.trade | 93.190.141.200 | Nebula |
| 2017/03/01 | agesword.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/03/01 | authorparticle.390a20778a68d056c40908025df2fc4e.site | 93.190.141.45 | Nebula |
| 2017/03/01 | bakermagician.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/03/01 | bombclick.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/03/02 | actressheight.knowledgedrugsaturday.club | 93.190.141.45 | Nebula |
| 2017/03/02 | agesword.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/03/02 | applywholesaler.tboapfmsyu.stream | 93.190.141.200 | Nebula |
| 2017/03/02 | approvepeak.knowledgedrugsaturday.club | 93.190.141.45 | Nebula |
| 2017/03/02 | bakermagician.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/03/02 | bombclick.alvdxq1l6n0o.stream | 93.190.141.166 | Nebula |
| 2017/03/02 | borrowfield.77e1084e.pro | 93.190.141.45 | Nebula |
| 2017/03/02 | boydescription.356020817786fb76e9361441800132c9.win | 93.190.141.39 | Nebula |
| 2017/03/02 | buglecommand.textfatherfont.info | 93.190.141.39 | Nebula |
| 2017/03/02 | buysummer.77e1084e.pro | 93.190.141.45 | Nebula |
| 2017/03/02 | captaincertification.77e1084e.pro | 93.190.141.45 | Nebula |
| 2017/03/02 | chargerule.textfatherfont.info | 93.190.141.39 | Nebula |
| 2017/03/02 | cityacoustic.textfatherfont.info | 93.190.141.39 | Nebula |
| 2017/03/02 | clickbarber.356020817786fb76e9361441800132c9.win | 93.190.141.39 | Nebula |
MDNC | Malware don’t need Coffee
