Angler EK – TeslaCrypt – NEW C2 URI Structure “binarystings.php”
PCAP file of the infection traffic:
2016-03-28-obsolete-allnewcountry-net.pcap
ASSOCIATED DOMAINS:
- events.horizonswebsite.com – COMPROMISED SITE
- 89.108.83.124 – obsolete.allnewcountry.net – GET /topic/ – ANGLER EK LANDING PAGE
- 104.73.195.113 – www.ecb.europa.eu – BEDEP INTERNET CONNECTION CHECK
- 23.229.240.164 – drlarrybenovitz.com – POST /qhcka/templates/binarystings.php – POST INFECTION TRAFFIC [TeslaCrypt]
- 160.153.63.4 – holishit.in – POST /wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php – POST INFECTION TRAFFIC [TeslaCrypt]
IMAGES and DETAILS:
Shown above: iframe script injection from compromised site sub-domain “events”
Shown above: Compromised site index page shows iframe redirect to Angler EK landing page
Shown above: Referer shows redirect from compromised site to Angler landing page
Shown above: Known Bedep signature to check for active internet connection
Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2) URI structure “/binarystings.php”
Shown above: Changes in TeslaCrypt ransom note and recovery instructions
MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:
- 6b9034bd52c3076a5e8f34a5c12bdb0c – 2016-03-28-obsolete-allnewcountry-net-Angler-EK.swf
Virus Total Link - 7ae09161b9d911169d1b05f1b91f80be – 2016-03-28-obsolete-allnewcountry-net-Bedep.dll
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
Virus Total Link - 9ff9fff36f6d7d76a12b09f9bf3c30bb – 2016-03-28-obsolete-allnewcountry-net-TeslaCrypt.exe
Virus Total Link