Angler EK sends – New Variant of Ransomware – New URI Pattern

ASSOCIATED DOMAINS:

  • www.bftrad.com – COMPROMISED SITE
  • 82.146.61.186 – news.wellerhill.com – POST /topic/ – ANGLER EK
  • 107.180.50.183 – emmy2015.com – POST /strbin.phpPOST INFECTION TRAFFIC

 

NOTE: During the infection process my files became corrupted. TeslaCrypt is known to encrypt and rename files with the .mp3 extension. This variant of ransomware did not rename my files, however they did become encrypted. Also noted was the name change in the so called ransom note.

 

IMAGES AND DETAILS:

Shown above: New naming variant of ransom note “RECOVERaekbd.html

 

Shown above: Injected iframe redirecting to Angler EK and ransomware host

 

Shown above: Referer shows redirect from compromised site to Angler EK host

 

Shown above: Post infection traffic using a new URI structure /strbin.php

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • cf2a89202502b5bb44bd5cf48d46673b – 2016-03-14-bftrad-com-Angler-EK.swf
    Virus Total Link
  • e7a4b72f7b506ae067751518f9719bff – 2016-03-14-bftrad-com.exe
    Virus Total Link