Angler EK from 89.108.83.10 sends TeslaCrypt – admedia

ASSOCIATED DOMAINS:

  • darkershadeoffado.com – COMPROMISED WEB SITE
  • shadesoffado.com – COMPROMISED WEB SITE
  • 178.62.120.98 – rss.beluihameleon.info -admedia redirect
  • 89.108.83.10 – cold.oncologymegafund.com – ANGLER EK [TeslaCrypt]
  • 192.185.39.66 – biocarbon.com POST /wp-content/uploads/bstr.php -post infection traffic [TeslaCrypt]

IMAGES:

Shown above: darkershadeoffado.com and shadesoffado.com resolve to same IP address

 

Shown above: darkershadeoffado.com homepage containing injected obfuscated malicious script

 

Shown above: Copying darkershadeoffado.com script to hex to ascii converter will show obfuscated redirect

 

shadesoffado_homepage

Shown above: shadesoffado.com homepage also containing injected obfuscated malicious script

 

referer-to-rss-beluihameleon-info-

Shown above: Looking at the Referer shows redirect to rss.beluihameleon.info was from script in darkershadeoffado.com

 

Shown above: telltale admedia javascript “%” hosted rss.beluihameleon.info redirecting to ANGLER EK

 

Shown above: Angler Exploit Kit (EK) hosted on cold.oncologymegafund.com

 

Shown above: Using Wireshark File => Export Objects => HTTP to extract Angler flash file

 

Shown above: Ransom recovery instructions after infection by TeslaCrypt

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 1b9f35357e9282de8ba526ce86a21b00 – 02-27-2016-ANGLER-EK.swf
  • 7e3f63cd292270c82269a0a3b4707e21 – hpnqemfkayqp.exe [TeslaCrypt]

 

Shown above: Virus Total results for 02-27-2016-ANGLER-EK.swf

 

Shown above: Virus Total results for hpnqemfkayqp.exe [TeslaCrypt]

 

Shown above: Reviewing darkershadeoffado.com homepage. “wp-content” is a clear indicator that the Content Management System (CMS) is WordPress. (suspected to be outdated/unpatched)

 

FINAL NOTES:

This drive-by type exploit is known as “admedia gate”. You can read more about it at
https://isc.sans.edu/forums/diary/Angler+exploit+kit+generated+by+admedia+gates/20741/