Angler Flash Exploit Infection Chain – New C&C
ASSOCIATED DOMAINS:
- 89.108.83.163 – insect.stackexceed.com – GET /topic/ – Angler LANDING PAGE
- 104.91.234.156 – www.ecb.europa.eu – Bedep CONNECT CHECK
- 208.100.26.234 – lubcdbbhmwklotm2o.com – Bedep POST INFECTION TRAFFIC
- 104.193.252.245 – jumtfutbdabxxtidj.com – Bedep POST INFECTION TRAFFIC
- 23.229.239.227 – addagapublicschool.com – POST /binfile.php – TeslaCrypt POST INFECTION TRAFFIC
IMAGES and DETAILS:
Shown above: Compromised site index page shows iframe injected script redirecting to Angler Exploit landing page
Shown above: Referer from compromised site to Angler landing page
Shown above: Extraction of flash exploit using File => Export Objects => HTTP
Shown above: After extracting flash exploit and saving as .swf file, decompiled using Flare (http://www.nowrap.de/flare.html) and examined flash meta data with text editor
Shown above: Packet 7127 shows Anglers payload delivery as a application/zip
Shown above: Examination of packet 7127 shows payload masked as a zip file. If this was a true zip file the first 2 characters of the packet would be PK
Shown above: Snort alerts generated by latest subscriber rule set
Shown above: Snort alerts generated by latest subscriber rule set and custom local.rules
Shown above: Snort custom local.rules focusing on URI content /topic/
Shown above: Bedep dll payload drop directory
Shown above: TeslaCrypt payload drop directory
Shown above: TeslaCrypt ransom note
Shown above: Windows registry entry for Bedep start-up “hlink.dll”
Shown above: Windows registry entry for TeslaCrypt start-up
EXPLOITS AND PAYLOAD FROM ANGLER EK:
- 2016-04-05-insect-stackexceed-com-Angler-ek.swf
Virus Total Link - 2016-04-05-insect-stackexceed-com-Bedep.dll
Virus Total Link - 2016-04-05-insect-stackexceed-com-TeslaCrypt.exe
Virus Total Link