Angler EK from 62.109.20.194 sends TeslaCrypt – New Variant

ASSOCIATED DOMAINS:

  • 106.186.113.201 – gyqw.me – COMPROMISED WEBSITE
  • 62.109.20.194 – angekuendigter-phytobiology.enews.media – Angler exploit kit (EK)
  • 209.126.108.74 – ricardomendezabogado.com POST /components/com_imageshow/wstr.php – post infection traffic [TeslaCrypt]
  • 194.228.3.204 – opravnatramvaji.cz POST /modules/mod_search/wstr.php  – post infection traffic [TeslaCrypt]

 

NOTES:

This appears to be a new variant of TeslaCrypt. Only one anti-virus vendor is identifying this as malicious. I also track the post infection URL’s and it appears to be switching to “wstr.php”

 

IMAGES:

Shown above: Virus Total results for TeslaCrypt – Virus Total Link

 

Shown above: Compromised website and angler host

 

Shown above: New “wsrt.php” URL for TeslaCrypt /POST traffic

 

Shown above: After extracting the homepage from the compromised site I discovered an injected javascript  obfuscated in hexadecimal.

 

Shown above: Using Hex to ascii converter you can see the redirect to angekuendigter-phytobiology.enews.media hosting Angler and TeslaCrypt

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 532e7c1390e9b8986e4c84251184d1e7 03-01-2016-angler.swf
  • c9e3949771df0b4637848c873d3adceb03-01-2016-TeslaCrypt.exe

A MORE DETAILED HOW TO HERE