Angler EK sending TeslaCrypt – iframe Redirects

PCAP files of the traffic:
2016-03-14-hertshomebuyer-co-uk.pcap
2016-03-15-provincial-com.pcap

 

ASSOCIATED DOMAINS (Site One):

  • www.hertshomebuyer.co.uk – COMPROMISED SITE
  • 82.146.61.189 exe.adiola.com – GET /topic/ – ANGLER EK
  • 107.180.50.183 – emmy2015.com – POST /strbin.phpPOST INFECTION TRAFFIC

 

ASSOCIATED DOMAINS: (Site Two)

  • provincialpw.com – COMPROMISED SITE
  • 89.108.83.41 – heals.marijuanaformedicalprofessionals.com – GET /topic/ – ANGLER EK
  • 107.180.50.183 – emmy2015.com – POST /strbin.phpPOST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Injected iframe on compromised site www.hertshomebuyer.co.uk redirecting to Angler EK host

 

Shown above: Injected iframe on compromised site provincialpw.com redirecting to Angler EK host

 

Shown above: Referer shows redirect from compromised site www.hertshomebuyer.co.uk to Angler EK host

 

Shown above: Referer shows redirect from compromised site provincialpw.com to Angler EK host

 

Shown above: Post infection traffic from www.hertshomebuyer.co.uk using a new URI structure /strbin.php

 

Shown above: Post infection traffic from provincialpw.com using a new URI structure /strbin.php

 

Shown above: New naming variant of ransom note “RECOVERjatv.html”

 

Shown above: New naming variant of ransom note “RECOVERyhsxc.html

 

Shown above: Compromised site  www.hertshomebuyer.co.uk is using WordPress for its CMS. Malicious injection could occur if WordPress is not updated to latest version.

 

Shown above: Compromised site  provincialpw.com is using WordPress for its CMS. Malicious injection could occur if WordPress is not updated to latest version.

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK (Site One):

  • b854e40e5fc848ea39bd2873281c7a96 – 2016-03-14-hertshomebuyer-co-uk-Angler-EK.swf
    Virus Total Link
  • 30877ffb6516359478351f197eb92697 – 2016-03-14-hertshomebuyer-co-uk.exe
    Virus Total Link

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK (Site Two):

  • b854e40e5fc848ea39bd2873281c7a96 – 2016-03-15-provincialpw-com-Angler-EK.swf
    Virus Total Link
  • 0646159ac21eda7327944517ad454d4b – 2016-03-15-provincialpw-com-TeslaCrypt.exe
    Virus Total Link

 

NOTES:

It appears TeslaCrypt is changing its pattern to deter detection by intrusion detection and firewalls. Each infection I noted a change in the naming of the so called ransom note.

As noted in yesterdays post Angler EK sends–New Variant of Ransomware–New URI Pattern
TeslaCrypt is no longer changing the encrypted file extensions to .mp3. This may be to speed up encryption process or maybe just using a bare bones package.

Also noted is the injection process. This variant is using a simple iframe redirect and no longer attempting to obfuscate its injected malicious script.