Angler EK sends TeslaCrypt – New C2 – New Ransom note pattern

ASSOCIATED DOMAINS:

• www.gardeningtricks.net – COMPROMISED SITE
• 185.46.11.192 – check.bespokebeta.com – GET /topic/ – ANGLER EK LANDING PAGE
• 108.167.185.237 – resumosdenovela.net – POST /phsys.php – POST INFECTION TRAFFIC [TeslaCrypt]

IMAGES and DETAILS:

Shown above: Continue to see iframe injection on compromised host’s redirecting to Angler EK landing page and TeslaCrypt

Shown above: Analysis of compromised site index page shows this site contains old “admedia” gate script infection

Shown above: Examination of DNS records reveal the compromised site did query an “admedia” gate. DNS was not able to resolve the old name

Shown above: Referer shows redirect (iframe) from compromised site  to Angler EK landing page and TeslaCrypt

Shown above: Extraction of flash/Angler EK and TeslaCrypt payload. Note TeslaCrypt payload masked as a text file to prevent detection.

Shown above: Analysis of Angler EK flash file shows changes in the meta data. Highlighted area shows new publisher and creator. Note the “2.05×1.05 px” continues to be used with this campaign. This pixel size was also used in the admedia campaign.

Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2)

Shown above: New naming variant of ransom note

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

• 94031600d215dcbd23e4cc14962a3008 – 2016-03-18-check-bespokebeta-com-Angler-EK.swf
  Virus Total Link
• 04e7c0aff2bde675438a4e2d0fa7f4ba – 2016-03-18-check-bespokebeta-com-TeslaCrypt.exe
  Virus Total Link