Angler Flash Exploit Infection Chain – New C&C

ASSOCIATED DOMAINS:

• 89.108.83.163 – insect.stackexceed.com – GET /topic/ – Angler LANDING PAGE
• 104.91.234.156 – www.ecb.europa.eu – Bedep CONNECT CHECK
• 208.100.26.234 – lubcdbbhmwklotm2o.com – Bedep POST INFECTION TRAFFIC
• 104.193.252.245 – jumtfutbdabxxtidj.com – Bedep POST INFECTION TRAFFIC
• 23.229.239.227 – addagapublicschool.com – POST /binfile.php – TeslaCrypt POST INFECTION TRAFFIC

IMAGES and DETAILS:

Shown above: Compromised site index page shows iframe injected script redirecting to Angler Exploit landing page

Shown above: Referer from compromised site to Angler landing page

Shown above: Extraction of flash exploit using File => Export Objects => HTTP

Shown above: After extracting flash exploit and saving as .swf file, decompiled using Flare (http://www.nowrap.de/flare.html) and examined flash meta data with text editor

Shown above: Packet 7127 shows Anglers payload delivery as a application/zip

Shown above: Examination of packet 7127 shows payload masked as a zip file. If this was a true zip file the first 2 characters of the packet would be PK

Shown above: Snort alerts generated by latest subscriber rule set

Shown above: Snort alerts generated by latest subscriber rule set and custom local.rules

Shown above: Snort custom local.rules focusing on URI content  /topic/

Shown above: Bedep dll payload drop directory

Shown above: TeslaCrypt payload drop directory

Shown above: TeslaCrypt ransom note

Shown above: Windows registry entry for Bedep start-up “hlink.dll”

Shown above: Windows registry entry for TeslaCrypt start-up

EXPLOITS AND PAYLOAD FROM ANGLER EK:

• 2016-04-05-insect-stackexceed-com-Angler-ek.swf
  Virus Total Link
• 2016-04-05-insect-stackexceed-com-Bedep.dll
  Virus Total Link
• 2016-04-05-insect-stackexceed-com-TeslaCrypt.exe
  Virus Total Link