Angler EK from 82.146.46.242 – New URI Pattern

ASSOCIATED DOMAINS:

  • amy-loves.co.uk – COMPROMISED HOST
  • 85.93.0.33 – mrdoom.tk – GATE TO EXPLOIT KIT
  • 82.146.46.242 – re.transdermdelivery.com/topic/1512028383 – ANGLER EK

DETAILS:

Shown above: Angler EK using new URI patternĀ  /topic/1512028383

 

Shown above: Injected script in compromised site redirecting to gate “mrdoom.tk”

 

Shown above: Referer from compromised site to gate with injected script directing to Angler EK host

 

Shown above: Extracted flash file using Wireshark File => Export Objects => HTTP

 

Shown above: Review of flash file meta data shows known Angler exploit pattern and known actors.

It should be noted the payload was unable to be recovered, However it does fit the pattern of TeslaCrypt.