Angler EK sends TeslaCrypt – New C2 – New Ransom note pattern
ASSOCIATED DOMAINS:
- www.gardeningtricks.net – COMPROMISED SITE
- 185.46.11.192 – check.bespokebeta.com – GET /topic/ – ANGLER EK LANDING PAGE
- 108.167.185.237 – resumosdenovela.net – POST /phsys.php – POST INFECTION TRAFFIC [TeslaCrypt]
IMAGES and DETAILS:
Shown above: Continue to see iframe injection on compromised host’s redirecting to Angler EK landing page and TeslaCrypt
Shown above: Analysis of compromised site index page shows this site contains old “admedia” gate script infection
Shown above: Examination of DNS records reveal the compromised site did query an “admedia” gate. DNS was not able to resolve the old name
Shown above: Referer shows redirect (iframe) from compromised site to Angler EK landing page and TeslaCrypt
Shown above: Extraction of flash/Angler EK and TeslaCrypt payload. Note TeslaCrypt payload masked as a text file to prevent detection.
Shown above: Analysis of Angler EK flash file shows changes in the meta data. Highlighted area shows new publisher and creator. Note the “2.05×1.05 px” continues to be used with this campaign. This pixel size was also used in the admedia campaign.
Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2)
Shown above: New naming variant of ransom note
MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:
- 94031600d215dcbd23e4cc14962a3008 – 2016-03-18-check-bespokebeta-com-Angler-EK.swf
Virus Total Link - 04e7c0aff2bde675438a4e2d0fa7f4ba – 2016-03-18-check-bespokebeta-com-TeslaCrypt.exe
Virus Total Link