Angler EK from 89.108.83.42 sends TeslaCrypt

PCAP file of the traffic: 2016-03-12-Angler-EK.pcap

ASSOCIATED DOMAINS:

  • webonomia.com – COMPROMISED SITE
  • 89.108.83.42 – of.empreendedorsim.com POST /topic/98427-ANGLER EK – TESLACRYPT
  • 203.124.115.1 – vtechshop.net POST /wcspng.php – POST INFECTION TRAFFIC
  • 166.62.4.223 – sappmtraining.com POST /wp-includes/theme-compat/wcspng.php –POST INFECTION TRAFFIC
  • 103.254.148.121 – shirongfeng.cn POST /images/lurd/wcspng.php – POST INFECTION TRAFFIC

IMAGES AND DETAILS:

Shown above: Injected script in compromised site redirecting to Angler EK and TeslaCrypt

 

Shown above: Referer shows redirect from compromised site to Angler EK and TeslaCrypt

 

Shown above: Post TeslaCrypt infection traffic

 

Shown above: TeslaCrypt file details. File was found in C:\Windows directory

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • db5760e8c096e3d35e63d385803ddaa0 – 2016-03-12-of-empreendedorsim-com-Angler.swf
    Virus Total Link
  • cc58157b4f51d4fcb93e51dd6eaa15c9 – 2016-03-12-of-empreendedorsim-com-TeslaCrypt.exe
    Virus Total Link

SNORT INTRUSION DETECTION SIGNATURES:

#————-
# LOCAL RULES
#————-
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Angler EK Landing Page Ascii”; flow:to_server,established; content:”/topic/”; http_uri; sid:4804004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Angler EK Landing Page Hex”; flow:to_server,established; content:”|2f 74 6f 70 69 63 2f|”; http_uri; sid:4804005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TeslaCrypt Post Infection Check-in Ascii”; flow:to_server,established; content:”/wcspng.php”; http_uri; sid:4804006; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TeslaCrypt Post Infection Check-in Hex”; flow:to_server,established; content:”|2f 77 63 73 70 6e 67 2e 70 68 70|”; http_uri; sid:4804007; rev:1;)

For more details on this variant of Angler Exploit kit see post [HERE]