Angler EK from 95.213.169.54 sends TeslaCrypt

ASSOCIATED DOMAINS:

  • 95.213.169.54 abundantesuunnanmuutokselle.mediafortruth.net (redirected directly from compromised site) – ANGLER EK
  • 23.21.129.86 filter.placelocal.com POST /store – post-infection traffic  [TeslaCrypt]
  • 185.26.122.59 surrogacyandadoption.com POST /bstr.php – post-infection traffic  [TeslaCrypt]

 

IMAGES:

Shown above: Injected script in page from the compromised website.

 

TTTTShown above: Redirect from compromised site to Exploit Kit host abundantesuunnanmuutokselle.mediafortruth.net

 

Shown above: First Angler EK download in flash file

 

wellness8Shown above: Second Angler EK download in flash file

 

Shown above: TeslaCrypt downloaded from abundantesuunnanmuutokselle.mediafortruth.net

 

Shown above: Post TeslaCrypt check-in traffic

 

wellness5Shown above: Review of compromised website reveals WordPress CMS (suspected to be outdated/unpatched)

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM EACH INSTANCE OF ANGLER EK:

  • de9e5c3ca37d8c55839a2b3b7e33933a – 02-26-2016-Angler-EK-1.swf
  • de9e5c3ca37d8c55839a2b3b7e33933a – 02-26-2016-Angler-EK-2.swf
  • 659fb26367b04a34d615b609857a51c6 – 02-26-2016-TeslaCrypt.exe

 

Shown above: VirusTotal results for 02-26-2016-Angler-EK-1.swf

 

vt2

Shown above: VirusTotal results for 02-26-2016-TeslaCrypt.exe

 

FINAL NOTES:

Thank you to Brad Duncan at www.malware-traffic-analysis.net for his knowledge and
assistance in hunting down malware.