Angler EK from 89.108.83.40 sends TeslaCrypt

ASSOCIATED DOMAINS:

  • karavaevsergei.ru – COMPROMISED SITE
  • 89.108.83.40 asf.dentisthomemortgage.com – ANGLER EK [TESLACRYPT]
  • 166.62.4.223 – sappmtraining.com POST /wp-includes/theme-compat/wcspng.phpPOST INFECTION TRAFFIC
  • 203.124.115.1 – vtechshop.net POST /wcspng.phpPOST INFECTION TRAFFIC

 

IMAGES AND DETAILS:

Shown above: Injected script in compromised site redirecting to Angler EK and TeslaCrypt

 

Shown above: flash file “Angler EK” executed from malicious host

 

Shown above: Flash file packet from malicious site captured with wireshark

 

Shown above: Virus Total results for variant of TeslaCrypt

 

Shown above: TeslaCrypt ransom notes

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 608688dc65ca1e4c086b4aad11f5f372 – 2016-03-11-karavaevsergei-ru-Angler.swf
    Virus Total Link
  • f48a24705fb72cfa0192b485afb4e688 – 2016-03-11-karavaevsergei-ru-TeslaCrypt.exe
    Virus Total Link

For more details on this variant of Angler Exploit kit see post [HERE]