Angler EK sends TeslaCrypt – New URI Pattern – New Flash Meta Data

ASSOCIATED DOMAINS:

  • lunchpal.co – COMPROMISED SITE
  • 82.146.38.171 1cge.averoncapital.net – GET /topic/ – ANGLER EK LANDING PAGE
  • 174.136.12.119 – esbook.com – POST /phsys.phpPOST INFECTION TRAFFIC
  • 104.128.239.91 – HXXP://shampooherbal.com – POST /phsys.php POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Continue to see iframe injection on compromised host’s redirecting to Angler EK landing page

 

Shown above: Referer shows redirect from compromised site  to Angler EK landing page

 

Shown above: Extraction of flash/Angler EK and TeslaCrypt payload.

 

Shown above: Analysis of Angler EK flash file shows change in meta data. Highlighted area shows new publisher and creator.

 

Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2) and new URI structure “/phsys.php

 

Shown above: New naming variant of ransom note “RECOVERupfam.html

 

Shown above: Compromised site is using WordPress for its CMS

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • b506da4ac9aa851d81a637ff2ded0ecd – 2016-03-17-1cge-averoncapital-net-Angler-EK.swf
    Virus Total Link
  • 778ecc620c2fbea260c7c2c1ec15b387 – 2016-03-17-1cge-averoncapital-net-TeslaCrypt.exe
    Virus Total Link