Angler EK from 82.146.59.21 sends TeslaCrypt – New URI Pattern

PCAP file of the traffic: 2016-03-14-Angler-EK.pcap

ASSOCIATED DOMAINS:

  • rzesypermanentne.pl – COMPROMISED SITE
  • 82.146.59.21 – s.onlinechiropracticschool.org – POST /topic/ – ANGLER EK
  • 198.1.95.93 -[NOT USING DOMAIN NAME] – POST /~deveconomytravel/cache/binstr.phpPOST INFECTION TRAFFIC  [TeslaCrypt]

 

IMAGES AND DETAILS:

Shown above: Referer shows redirect from compromised site to Angler EK host

 

Shown above: Index page of compromised site shows multiple injected malicious scripts. Here is an old “admedia” gate found in index page. It appears this site has been compromised before.

 

Shown above: Old injected hexadecimal script converted to ASCII shows old “admedia” type gate.
Note: The same analysis was done with the second injected malicious script found in the compromised site index page. That also was found to lead to an old “admedia” gate.

 

Shown above: Third injected “pseudo-Darkleech” script found in index page of compromised site leading to Angler EK and TeslaCrypt.
Note: For more information about “pseudo-Darkleech” see write-up at malware-traffic-analysis.net

 

Shown above: Extraction of flash file for analysis using Wireshark File => Export Objects => HTTP – Save as .swf file.
Note: TeslaCrypt payload is masked as a text/html to prevent detection by intrusion detection systems and firewalls.

 

Shown above: Meta data from saved flash file using http://www.nowrap.de/flare.html.
Note: Flash actionscript version 13 when used in conjunction with a frame rate of 24 fps and 2.05×1.05 px follows the same pattern used in the “admedia” campaign.

 

Shown above: TeslaCrypt post infection traffic using a new URI structure “binstr.php”. Also note there is no domain name associated with the site.

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 1b8b4157ada72f107e0cd9e580f9e603 – 2016-03-14-rzesypermanentne-pl-Angler-EK.swf
    Virus Total Link
  • 5251cbb1fbf70f9268f3ce91e6b8a062 – 2016-03-14-rzesypermanentne-pl-Angler-EK.exe
    Virus Total Link

SNORT INTRUSION DETECTION SIGNATURES:

#
#————-
# LOCAL RULES
#————-
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Angler EK Landing Page Ascii”; flow:to_server,established; content:”/topic/”; http_uri; sid:4804004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Angler EK Landing Page Hex”; flow:to_server,established; content:”|2f 74 6f 70 69 63 2f|”; http_uri; sid:4804005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TeslaCrypt Post Infection Check-in Ascii”; flow:to_server,established; content:”/binstr.php”; http_uri; sid:4804008; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”TeslaCrypt Post Infection Check-in Hex”; flow:to_server,established; content:”|2f 62 69 6e 73 74 72 2e 70 68 70|”; http_uri; sid:4804009; rev:1;)