- amy-loves.co.uk – COMPROMISED HOST
- 220.127.116.11 – mrdoom.tk – GATE TO EXPLOIT KIT
- 18.104.22.168 – re.transdermdelivery.com/topic/1512028383 – ANGLER EK
Shown above: Angler EK using new URI pattern /topic/1512028383
Shown above: Injected script in compromised site redirecting to gate “mrdoom.tk”
Shown above: Referer from compromised site to gate with injected script directing to Angler EK host
Shown above: Extracted flash file using Wireshark File => Export Objects => HTTP
Shown above: Review of flash file meta data shows known Angler exploit pattern and known actors.
It should be noted the payload was unable to be recovered, However it does fit the pattern of TeslaCrypt.