Angler EK from 82.146.58.2 sends TeslaCrypt – New Pattern

ASSOCIATED DOMAINS:

  • wellnesshealthcarerevolution.com – COMPROMISED SITE
  • 82.146.58.2 – add.freereikitraining.com – ANGLER EK -TESLACRYPT
  • 178.162.214.146 – tele-channel.com POST /wp-admin/maint/wcspng.phpPOST INFECTION TRAFFIC [TESLACRYPT]

Shown above: admedia style gate ” /topic” hosting Angler EK and also TeslaCrypt. Normally you would see a redirect from this type of gate to Angler and TeslaCrypt host.

 

Shown above: Injected script from compromised site to Angler EK and TeslaCrypt.

This was first noted by malware-traffic-analysis shown below:

 

Shown above: Extraction of Angler EK and what appears to be the payload masked as a text file

 

Shown above: Examination of the flash file meta data determined this is the Angler EK. The highlighted area shows a “fps 2.05 x 1.05 pixels”. This is a known pattern of the Angler EK being used in conjunction with the “admedia” campaign.

 

Shown above: Examination of the payload from “add.freereikitraining.com” shows a file being downloaded as a text file. This is believed to be the TeslaCrypt payload masked as a text file to prevent detection by Intrusion detection and firewalls.

 

Shown above: TeslaCrypt post infection traffic to the C2. Noted in the highlighted area is a new TeslaCrypt php extention “wcspng.php”

 

Shown above: Note the highlighted area “_ReCoVeRy_.HTM” as a pattern change

 

Shown below: This was first noted by Jerome Segura to identify a new variant in TeslaCrypt

 

Shown above: File details of malicious TeslaCrypt

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 2cb4bb4fddf4c36648bffb6d8b5ebd9a – 03-10-2016-wellnesshealthcarerevolution- com-angler.swf
    Virus Total Link
  • 97b7da5976dda9b9e62b11529c25a80e – 03-10-2016-wellnesshealthcarerevolution-com-amnjkopkqvba.exe
    Virus Total Link

SNORT INTRUSION DETECTION SIGNATURES:

#————-
# LOCAL RULES
#————-
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Angler EK Landing Page Ascii“; flow:to_server,established; content:”/topic/“; sid:4804004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Angler EK Landing Page Hex“; flow:to_server,established; content:”|2f 74 6f 70 69 63 2f|“; sid:4804005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TeslaCrypt Post Infection Check-in Ascii“; flow:to_server,established; content:”/wcspng.php“; sid:4804006; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TeslaCrypt Post Infection Check-in Hex“; flow:to_server,established; content:”|2f 77 63 73 70 6e 67 2e 70 68 70|“; sid:4804007; rev:1;)