Angler EK – iframe injection – New URI pattern

PCAP files of the traffic:
2016-03-16-ramblers-leicester-org-uk.pcap
2016-03-16-ondacreativa-co.pcap


ASSOCIATED DOMAINS:

  • ramblers-leicester.org.uk – COMPROMISED SITE
  • 82.146.34.136 – dab.bangalorephotofestival.in – ANGLER EK LANDING PAGE
  • 174.136.12.119 – esbook.com – POST /phsys.phpPOST INFECTION TRAFFIC -[TeslaCrypt]
  • 66.147.244.86 – hmgame.net – POST /phsys.phpPOST INFECTION TRAFFIC -[TeslaCrypt]

 

ASSOCIATED DOMAINS:

  • ondacreativa.co – COMPROMISED SITE
  • 82.146.61.183 – hop.educationaldirection.com – ANGLER EK LANDING PAGE
  • 174.136.12.119 – esbook.com – POST /binstr.php – POST INFECTION TRAFFIC -[TeslaCrypt]
  • 107.180.50.210 – nlhomegarden.com – POST /strbin.php – POST INFECTION TRAFFIC -[TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Post infection traffic from ramblers-leicester-org-uk using a new URI structure /phsys.php

 

Shown above: Post infection traffic from ondacreativa-co using a new URI structure /strbin.php and /binstr.php

 

Shown above: File meta data for TeslaCrypt

 

Shown above: Msconfig..exe shows Angler EK drops TeslaCrypt file in Documents folder and creates start-up file

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 02cdbc1d8f5b6be1ec90b9de5414b666 – ramblers-leicester-org-uk-Angler-EK.swf
    Virus Total Link
  • 4e861f78532c264223de0d7a21d62c9f – ramblers-leicester-org-uk-Angler-EK.exe
    Virus Total Link
  • 4ec783e28ebc7b96f215ee0bad3f1cb6 – ondacreativa-co-Angler-EK.swf
    Virus Total Link
  • 6c51d996afb8ce2fdf2888017d2ac130 – ondacreativa-co.exe
    Virus Total Link

NOTES: I continue to see the use of the iframe injection being used to redirect to the Angler Exploit landing page. The iframe’s are being injected into WordPress sites.

See yesterday’s post for more details [HERE]