Angler EK sends TeslaCrypt – New C2 – New Ransom note pattern

ASSOCIATED DOMAINS:

  • www.gardeningtricks.net – COMPROMISED SITE
  • 185.46.11.192 – check.bespokebeta.com – GET /topic/ – ANGLER EK LANDING PAGE
  • 108.167.185.237 – resumosdenovela.net – POST /phsys.php POST INFECTION TRAFFIC [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Continue to see iframe injection on compromised host’s redirecting to Angler EK landing page and TeslaCrypt

 

Shown above: Analysis of compromised site index page shows this site contains old “admedia” gate script infection

 

Shown above: Examination of DNS records reveal the compromised site did query an “admedia” gate. DNS was not able to resolve the old name

 

Shown above: Referer shows redirect (iframe) from compromised site  to Angler EK landing page and TeslaCrypt

 

Shown above: Extraction of flash/Angler EK and TeslaCrypt payload. Note TeslaCrypt payload masked as a text file to prevent detection.

 

Shown above: Analysis of Angler EK flash file shows changes in the meta data. Highlighted area shows new publisher and creator. Note the “2.05×1.05 px” continues to be used with this campaign. This pixel size was also used in the admedia campaign.

 

Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2)

 

Shown above: New naming variant of ransom note

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 94031600d215dcbd23e4cc14962a3008 – 2016-03-18-check-bespokebeta-com-Angler-EK.swf
    Virus Total Link
  • 04e7c0aff2bde675438a4e2d0fa7f4ba – 2016-03-18-check-bespokebeta-com-TeslaCrypt.exe
    Virus Total Link