Silverlight exploit leads to TeslaCrypt – CVE-2016-0034

March 21, 2016 Analysis

admedia, iframe, Ransomware, Silverlight Exploit

NOTES: In an earlier post from today Angler EK sends TeslaCrypt and Bedep Ad fraud I documented how Angler EK exploited a flash plugin. I recently returned to the compromised site to find the Angler EK was also exploiting Microsoft Silverlight to send TeslaCrypt.

This exploit was noted in an article by Malware Dont need Coffee .

ASSOCIATED DOMAIN:

netdetect.co – COMPROMISED SITE
82.146.34.246 – three.gottyranny.info – ANGLER EK Landing Page [Silverlight]
50.87.127.96 – mkis.org – POST /phsys.php – POST INFECTION TRAFFIC [TeslaCrypt]

IMAGES and DETAILS:

Shown above: iframe injection in compromised site redirecting to three.gottyranny.info – Angler EK landing page [TeslaCrypt]

Shown above: Angler EK landing page to Silverlight exploit

Shown above: Extracted silverlight exploit from Angler EK Landing page

Shown above: Extracting packet 1366 and examining in a text file you can see the signature associated with the Silverlight exploit and delivery of TeslaCrypt

Shown above: New naming variant of TeslaCrypt ransom note

MD5 HASHES FOR PAYLOAD FROM ANGLER EK:

3dc6d53d9f8f7851b9bfb491a7793f80 – 2016-03-21-three.gottyranny.info-TeslaCrypt.exe
Virus Total Link

Again you can see my earlier post from today for more details.

BroadAnalysis

Silverlight exploit leads to TeslaCrypt – CVE-2016-0034

Category

Archives