Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Actor using Fiesta exploit kit

Published: 2015-04-28
Last Updated: 2015-04-28 02:43:04 UTC
by Brad Duncan (Version: 1)
2 comment(s)

An Enduring Adversary

This diary entry documents a criminal group using the Fiesta exploit kit (EK) to infect Windows computers.  I previously wrote a guest diary about this group on 2014-12-26 [1] and provided some updated information on my personal blog this past February [2].  I first noticed this group in 2013, and it's likely been active well before then.

The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain.  I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar, and they all reside on a single IP address.  The registrant data is privacy-protected through Wuxi Yilian LLC.

Earlier this month, the BizCN gate actor changed its gate IP to [3].  We're currently seeing the gate lead to Fiesta EK on  Below is a flow chart for the infection chain:


Traffic From an Infected Host

The following image shows traffic from (the gate) that occurred on 2015-04-26.  The landing page for Fiesta EK is highlighted in yellow.

Within the past week or so, Fiesta EK has modified its URL structure.  Now you'll find dashes and underscores in the URLs (something that wasn't present before).

A pcap of this traffic at is available at:

The malware payload on the infected host copied itself to a directory under the user's AppData\Local folder.  It also updated a registry key for persistence (see below):

A copy of the malware payload is available at:

See below for post-infection traffic caused by the malware:

Below is an image from Sguil on Security Onion for EmergingThreats and ETPRO snort events caused by the infection.  Post-infection traffic triggered ETPRO alerts for Kovter malware, but the malware payload is identified as different names by different AV vendors [4].


Indicators of Compromise (IOCs)

Passive DNS on shows at least 100 domains registered through hosted on this IP address.  Each domain is paired with a compromised website.  Below is a list of the gate domains and their associated compromised websites I've found so far this month:

(Read: gate on - compromised website)

  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -

How can you determine if your clients saw traffic associated with this actor?  Organizations with web proxy logs can search for to see the HTTP requests.  Those HTTP headers should include a referer line with the compromised website.  Many of these compromised websites use vBulletin.


Final Notes

Researchers may have a hard time generating infection traffic from compromised websites associated with this actor.  Most often, HTTP GET requests to the gate domain return a 404 Not Found.  In some cases, the gate domain might not appear in traffic at all.  Other times, the HTTP GET request for the Fiesta EK landing page doesn't return anything.  It's tough to get a full infection chain when you're trying to do it on purpose.

The BizCN gate actor occasionally changes the IP address for these gate domains.  Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again.

Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes.

Brad Duncan, Security Researcher at Rackspace
Blog: - Twitter: @malware_traffic



2 comment(s)
ISC StormCast for Tuesday, April 28th 2015

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Quantum Insert Attack
1 day ago by Basil (1 comment)

A Malicious Word Document Inside a PDF Document
3 days ago by DidierStevens (1 comment)

Fileless Malware
3 days ago by Basil (0 comments)

When automation does not help
4 days ago by Bojan (0 comments)

Dridex Redirecting to Malicious Dropbox Hosted File Via Google
5 days ago by Dr. J. (4 comments)

Logging Complete Requests in Apache 2.2 and 2.4
6 days ago by Dr. J. (1 comment)

When Prevention Fails, Incident Response Begins
4 decades ago by Richard (1 comment)

View All Diaries →

Latest Discussions

Need help with Framing and masking
created 3 days ago by Anonymous (0 replies)

Packet numbers different in various Dshield reports
created 1 week ago by Telserv (1 reply)

Disruption of Simda botnet
created 1 week ago by Brad Duncan (0 replies)

STUN traffic
created 1 week ago by Tom (2 replies)

DMZ Server dual NIC design
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →