Angler EK sends TeslaCrypt and Bedep – Ad fraud


NOTES:
Over the weekend I noticed a large increase in post infection TeslaCrypt traffic. Research of the post traffic pattern determined similar patterns were used with Bedep malware for ad fraud. Sentrant.com has a good detailed article regarding Bedep. [LINK]

ASSOCIATED DOMAINS:

  • netdetect.co – COMPROMISED SITE
  • 89.108.83.95 – x.entrepreneurmatchmaker.org – GET /topic/ – ANGLER EK LANDING PAGE
  • 46.101.17.191 – 123.yasyka1lyamhochy.info – GET /megaadvertize/ – admedia gate to Bedep
  • 50.87.127.96 – mkis.org – POST /phsys.phpPOST INFECTION TRAFFIC [TeslaCrypt]

BEDEP ASSOCIATED DOMAINS:

  • www.ecb.europa.eu – Internet connection check associated with Bedep malware
  • 198.105.244.228 – zcbvstaxjtyglpxei8.com – POST INFECTION TRAFFIC [Bedep]
  • 198.105.244.228 – axeqiohhxjma.com – POST INFECTION TRAFFIC [Bedep]
  • 198.105.244.228 – tmhuysvhiudjmeoz.com – POST INFECTION TRAFFIC [Bedep]
  • 104.193.252.245 – jqtnohzbck5k.com – POST INFECTION TRAFFIC [Bedep]
  • 89.163.241.90 – neroclapsnewdoor.com – GET /ads.php? – Ad fraud – Click Fraud – [Bedep]
  • 162.244.32.121 – bookersmartest.xyz – GET /ads.php? – Ad fraud – Click Fraud – [Bedep]
  • 104.193.252.234 – lampubuntuadv.com – GET /ads.php? – Ad fraud – Click Fraud – [Bedep]

 

IMAGES and DETAILS:

Shown above: Hexadecimal script injection in compromised site redirecting to 123.yasyka1lyamhochy.info leading to Bedep infection. For details on how this was determined see previous post “admedia gates

 

Shown above: iframe injection in compromised site redirecting to x.entrepreneurmatchmaker.org  – Angler EK landing page [TeslaCrypt]

 

Shown above: A known Bedep pattern used to check if infected computer has an active connection to the internet

 

Shown above: Referer shows redirect (iframe) from compromised site  to Angler EK landing page

 

Shown above: Referer shows redirect (hexadecimal script) from compromised site  to Bedep gate

 

Shown above: Bedep post infection traffic to C2 type hosts

 

Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2)

 

Shown above: Ad fraud – click fraud traffic from Bedep infection

 

Shown above: New naming variant of TeslaCrypt ransom note

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • f535259389b8b76a15f8f8a8dc647626 – 2016-03-21-Bedep-rasadhlp.dll (C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\rasadhlp.dll
    Virus Total Link
  • ecfcf02405137ef1900c08a71e3a4ec6 – 2016-03-21-x-entrepreneurmatchmaker-org-Angler-EK.swf
    Virus Total Link
  • 0df3abe410ff6a73c93cab20bf79dc67 – 2016-03-21-x-entrepreneurmatchmaker-org-TeslaCrypt.exe
    Virus Total Link