We’ve covered the topic of Exploit kits from a DNS perspective on this blog several times before [1][2][3]. In today’s post, we’ll look at another threat, the Nuclear Pack Exploit Kit, which is currently targeting users through malvertising campaigns. In addition, we’ll share information about our efforts to monitor, block, and eradicate these malicious domains – such as the recent take down campaign carried out in conjunction with the team at MalwareMustDie, which resulted in 174 Nuclear Exploit Kit domains being shut down thus far [4] (the operation is still ongoing).

First, a quick review of malvertising, a regular infection vector for Internet users. During this type of attack, malicious ads are injected into legitimate online advertising networks, leading unsuspecting users to sites hosting exploit kits and eventually dropping malware onto victims’ machines. A few advertising networks like Clicksor and Klixfeed are occasionally abused, and recent campaigns involving PopOnClick and Klixfeed leading to Nuclear Exploit Kit and Zbot trojan dropping were reported by security researcher @malekal_morte on Feb 11th and 13th [5].

The exploit landing sites in question correspond to a known stream of Nuclear Pack Exploit Kit domains abusing the .pw ccTLD – a list of domains we have been monitoring and blocking as soon as they go live (see the “Predicting the Emergence of Exploit Kit and Malware Domains” section in [6] and [7] for more information).

Monitoring the Evasive Patterns

For the past few months, the bad actors behind these Nuclear Pack domains have been abusing OVH’s (hosting provider) IP space by hosting subdomains on small sub-allocated blocks of contiguous IPs. We have been observing a similar pattern across several IP ranges recently, e.g. [8][9], patterns which were also reported by other security researchers [10].

As an example, let’s look at the range (192.95.10.208/28) i.e. 192.95.10.208 to 192.95.10.223. In this case, the set of 16 IPs had actively hosted about 9790+ Nuclear Pack subdomains between Jan 11th and Feb 2nd. Subsequently, new IP ranges have been used to host Nuclear Pack, for example, 192.95.43.160/28 and 192.95.7.224/28.

Recent efforts by security researchers in reporting this abuse lead OVH to neutralize this stream of malicious IPs on their IP space. The bad actors then switched to a Ukrainian hosting provider, besthosting.ua. At the time of publication, the bad actors have been using the range 31.41.221.130 to 31.41.221.140 and 31.41.221.142 since Feb 7th [11]. Notice these IPs are hosting nginx web server 0.7.67 as the exploit kit webserver. The IPs are not brought online by the bad actors all at once, but in small blocks over time, just when they are about to be used. The live IPs in this range show the same open ports and services fingerprint as nmap shows below:

22/tcp  open  ssh     OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)

80/tcp  open  http    nginx web server 0.7.67

111/tcp open  rpcbind

Below are the IPs that were used, along with the “first seen, last seen” dates of subdomains on them:

31.41.221.142 2014-02-12 2014-02-13

31.41.221.140 2014-02-12 2014-02-12

31.41.221.139 2014-02-12 2014-02-12

31.41.221.138 2014-02-11 2014-02-12

31.41.221.137 2014-02-10 2014-02-11

31.41.221.136 2014-02-10 2014-02-11

31.41.221.135 2014-02-10 2014-02-10

31.41.221.134 2014-02-09 2014-02-10

31.41.221.132 2014-02-08 2014-02-09

31.41.221.131 2014-02-07 2014-02-08

Following abuse reports sent by different security researchers to besthosting.ua regarding this malicious IP range, the bad actors switched back and started using 31.41.221.130 on Feb 13th [12]. Also, 31.41.221.143 was live since Feb 13th and started hosting Nuclear domains on Feb 14th.

In the figures below, we’ve used our DNSDB to show the daily counts of Nuclear Pack subdomains on the OVH IP range 192.95.10.208/28, active between Jan 11th and Feb 2nd, as well as the count of subdomains per IP:

 

Nuclear-subdomains-per-day

Nuclear-subdomains-per-IP 

We are currently blocking the entire 31.41.221.128/25 [13] range of IPs as they seem highly suspicious, thereby ensuring any subdomains that start resolving to them are inaccessible.

Predicting and Neutralizing Nuclear Pack Domains Before They Are Weaponized

More importantly, as of Feb 14th, we counted six authoritative name servers answering for the current .pw Nuclear Pack domains:

dns1.echouniversal.com. 198.50.230.203 86400
dns2.echouniversal.com. 198.27.118.95 86400
dns1.merchantmarkets.com. 142.4.194.6 86400
dns2.merchantmarkets.com. 198.50.235.74 86400
dns1.highlinerservices.com. 198.50.247.253 86400
dns2.highlinerservices.com. 198.50.197.58 86400

Four of these IPs are currently live:

198.50.247.253
142.4.194.6
198.50.197.58
198.50.230.203

and they also show similar open ports/services fingerprints:

22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
53/tcp open domain ISC BIND 9.7.3
80/tcp open http Apache httpd 2.2.16 ((Debian))
445/tcp filtered microsoft-ds

These name servers are hosted on OVH IPs, so it appears the bad actors are still keeping a foothold on OVH’s IP space. The same suspicious actor(s) who reserved the small ranges hosting the Nuclear Pack name servers have also reserved the ranges below:

198.50.230.192 – 198.50.230.195

198.50.230.196 – 198.50.230.199

198.50.230.200 – 198.50.230.203

198.50.230.204 – 198.50.230.207

198.50.230.208 – 198.50.230.215

198.50.230.216 – 198.50.230.223

and

198.27.118.64 – 198.27.118.71

198.27.118.72 – 198.27.118.79

198.27.118.80 – 198.27.118.87

198.27.118.88 – 198.27.118.91

198.27.118.92 – 198.27.118.95

and

198.50.235.72 – 198.50.235.79

and

142.4.194.0 – 142.4.194.7

and

198.50.247.224 – 198.50.247.227

198.50.247.228 – 198.50.247.231

198.50.247.232 – 198.50.247.239

198.50.247.240 – 198.50.247.243

198.50.247.244 – 198.50.247.247

198.50.247.248 – 198.50.247.251

198.50.247.252 – 198.50.247.255

and

198.50.197.48 – 198.50.197.51

198.50.197.52 – 198.50.197.55

198.50.197.56 – 198.50.197.59

198.50.197.60 – 198.50.197.63

We have blocked the name server 2LDs and the bulk of these IP ranges as a preventive measure, and are monitoring any new suspicious name servers that appear on them.

Preemptive Strike

Additionally, on Feb 14th, another stream of Nuclear EK subdomains appeared on 5.101.173.1 [14] hosted on a Russian hosting provider, Petersburg Internet Network LLC

5.101.173.1 is part of the 5.101.173.0/24 prefix. On that prefix, there are currently 62 live IPs.

The following IPs (including the current 5.101.173.1 that is hosting live Nuclear subdomains) all have the same open ports/services fingerprints indicated below:

5.101.173.1
5.101.173.2
5.101.173.3
5.101.173.4
5.101.173.5
5.101.173.6
5.101.173.7
5.101.173.8
5.101.173.9
5.101.173.10

22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
80/tcp open http nginx web server 1.2.1
111/tcp open rpcbind

As we showed in the pattern on 31.41.221.130 to 31.41.221.140 and 31.41.221.142, 31.41.221.143 above, the pattern on 5.101.173.1-10 is clearly preparation to use these IPs as web servers to host the Nuclear Pack Exploit Kit attacks.

Using this intel, we are predicting the emergence of these domains before they appear and preemptively blocking IPs before they are weaponized with Exploit Kit domains, as well as IPs serving the name server infrastructure of the Nuclear Exploit domains.

The malicious campaign of these bad actors is live and ongoing, so we expect them to shift to other hosting providers to set up their name servers and Exploit Kit servers infrastructures. At the moment, it seems their MO of choice is to keep their name servers on OVH and set up the Exploit Kit servers at Eastern European hosting providers. 

For further information about the web traffic analysis/monitoring of these exploit kit attacks and the malvertising campaigns leading to them, we recommend the excellent work and updates of @malekal_morte, @kafeine, @jeromesegura@MalwareMustDie, just to name a few.

This post is categorized in: