Silverlight exploit leads to TeslaCrypt – CVE-2016-0034

NOTES: In an earlier post from today Angler EK sends TeslaCrypt and Bedep Ad fraud I documented how Angler EK exploited a flash plugin. I recently returned to the compromised site to find the Angler EK was also exploiting Microsoft Silverlight to send TeslaCrypt.

This exploit was noted in an article by Malware Dont need Coffee .

ASSOCIATED DOMAIN:

  • netdetect.co – COMPROMISED SITE
  • 82.146.34.246 – three.gottyranny.info – ANGLER EK Landing Page [Silverlight]
  • 50.87.127.96 – mkis.org – POST /phsys.php – POST INFECTION TRAFFIC [TeslaCrypt]

IMAGES and DETAILS:

Shown above: iframe injection in compromised site redirecting to three.gottyranny.info – Angler EK landing page [TeslaCrypt]

 

Shown above: Angler EK landing page to Silverlight exploit

 

Shown above: Extracted silverlight exploit from Angler EK Landing page

 

Shown above: Extracting packet 1366 and examining in a text file you can see the signature  associated with the Silverlight exploit and delivery of TeslaCrypt

 

Shown above: New naming variant of TeslaCrypt ransom note

 

MD5 HASHES FOR  PAYLOAD FROM ANGLER EK:

3dc6d53d9f8f7851b9bfb491a7793f80 – 2016-03-21-three.gottyranny.info-TeslaCrypt.exe
Virus Total Link

Again you can see my earlier post from today for more details.