Angler EK from 185.118.65.163 sends TeslaCrypt

ASSOCIATED DOMAINS:

  • csuper.fr – COMPROMISED WEB SITE
  • 185.118.65.163 – cernensleitfaed.dnabreast.com – (redirected directly from compromised site) – ANGLER EK
  • 178.62.120.98 – js.krasnuenogotochki.info – admedia redirect (did not play a role in infection chain)
  • 192.185.39.66 – biocarbon.com.ec  POST /wp-content/uploads/bstr.php -post infection traffic [TeslaCrypt]

IMAGES:

Shown above: csuper.fr was infected with 3 malicious scripts.  This is “admedia” but did not play a role

 

Shown above: The converted hex redirects to js.krasnuenogotochki.info but did not play a role

 

Shown above: A second malicious script injected into csuper.fr homepage which did redirect to Ankler EK

 

Shown above: csuper.fr did directly referer to cernensleitfaed.dnabreast.com and Ankler EK

 

Shown above: Angler flash exploit hosted on dnabreast.com exploiting outdated flash player version 19,0,0,245

 

Shown above: Virus Total results for 02-28-2016-Angler.swf

 

Shown above: Virus Total results for 02-28-2016-TeslaCrypt.exe

 

Shown above: Reviewing csuper.fr homepage. “wp-content” is a clear indicator that the Content Management System (CMS) is WordPress. (suspected to be outdated/unpatched)

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

980487b12ed548bf597fba7cf3c7e39f – 02-28-2016-Angler.swf
Virus Total Link

97bf5535b7afa97404e6daf1b735625d – 02-28-2016-TeslaCrypt.exe
Virus Total Link

 

FINAL NOTES:

It appears this website was infected by three malicious injection scripts. May or may not have been the same actor.