Angler Exploit Kit via EITEST Gate sends Cryptxxx Ransomware
UPDATE:
Post infection search of infected computer for .exe and .dll files returned negative results. The explorer.exe file below returned no Virus Total results. Please read Virus Total comments associated with below explorer.exe file [HERE].
On June 1st, 2016 I began monitoring an EITEST gate that would redirect to assorted Angler Exploit Kit landing pages. Today this EITEST gate again redirected to an Angler EK landing page sending Cryptxxx.
Past Posts related to this EITEST gate and the Angler EK:
Angler Exploit Kit sends variant of Zeta Ransomware
Angler Exploit Kit from 185.106.122.81 sends Gootkit
ASSOCIATED DOMAINS:
- 85.93.0.72 – losxce.tk – EITEST GATE
- 74.208.110.67 – krotensuikermechosa.wkcscotland.com – Angler EK LANDING PAGE
- 85.25.194.116 PORT 443 – Cryptxxx CHECK-IN CnC
IMAGES and DETAILS:
Shown above: EITEST gate redirecting to Angler Exploit Kit landing page
Shown above: Injected script on compromised site redirecting to EITEST gate
Shown above: Script on EITEST gate redirecting to Angler EK landing page
Shown above: Payload in Windows directory “C:\Users\%UserName%\AppData\Local\Temp” associated with Cryptxxx ransomware infection
WINDOWS REGISTRY KEYS CREATED DURING INFECTION:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
Shown above: After encrypting files Cryptxxx adds the .crypz file extension
Shown above: Cryptxxx did not encrypt the Windows default sample pictures files.
Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions
Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions
Shown above: Cryptxxx .TXT ransom note and De-Crypt instructions
MALICIOUS PAYLOAD ASSOCIATED WITH ANGLER EXPLOIT:
- 2016-06-05-Angler-EK.swf
Virus Total Link - 2016-06-05-explorer.exe
Virus Total Link