Silverlight exploit leads to TeslaCrypt – CVE-2016-0034
NOTES: In an earlier post from today Angler EK sends TeslaCrypt and Bedep Ad fraud I documented how Angler EK exploited a flash plugin. I recently returned to the compromised site to find the Angler EK was also exploiting Microsoft Silverlight to send TeslaCrypt.
This exploit was noted in an article by Malware Dont need Coffee .
ASSOCIATED DOMAIN:
- netdetect.co – COMPROMISED SITE
- 82.146.34.246 – three.gottyranny.info – ANGLER EK Landing Page [Silverlight]
- 50.87.127.96 – mkis.org – POST /phsys.php – POST INFECTION TRAFFIC [TeslaCrypt]
IMAGES and DETAILS:
Shown above: iframe injection in compromised site redirecting to three.gottyranny.info – Angler EK landing page [TeslaCrypt]
Shown above: Angler EK landing page to Silverlight exploit
Shown above: Extracted silverlight exploit from Angler EK Landing page
Shown above: Extracting packet 1366 and examining in a text file you can see the signature associated with the Silverlight exploit and delivery of TeslaCrypt
Shown above: New naming variant of TeslaCrypt ransom note
MD5 HASHES FOR PAYLOAD FROM ANGLER EK:
3dc6d53d9f8f7851b9bfb491a7793f80 – 2016-03-21-three.gottyranny.info-TeslaCrypt.exe
Virus Total Link
Again you can see my earlier post from today for more details.