Angler EK sends Ursnif

NOTES:
Angler EK appears to be sending a variant of the Ursnif Trojan. Ursnif is a password and information stealing Trojan. Information and data shared by malware-tarffic-analysis shows a similar traffic pattern.

 

ASSOCIATED DOMAINS:

  • theholyqubticchurch.org – COMPROMISED SITE
  • 85.93.0.34 – new-forum-biz.tk – EITEST TO ANGLER EK
  • 185.141.25.159 – q6d9.a391sh.top – GET /topic/ – ANGLER LANDING PAGE
  • nssdc.gsfc.nasa.gov – POST INFECTION TRAFFIC
  • 77.123.112.207 – idspaceagencyfact.com – POST INFECTION TRAFFIC
  • 109.87.165.28 – whestannouncement.com – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Examination of compromised site index page reveals injected script for embedded Flash application redirecting to new-forum-biz.tk gate

 

Shown above: Examination of new-forum-biz.tk index page reveals injected script  redirecting to Angler EK landing page

 

Shown above: Referer shows redirect from compromised site  to redirect gate

 

Shown above: Known pattern of Angler Landing page URI “GET /topic/”

 

Shown above: Packet 3889 shows Angler Flash exploit. Packet 5902 shows payload delivery to infected computer.

 

Shown above: Using msconfig revealed a new file in the roaming profile set to run upon startup

 

Shown above: Post infection traffic shows an http request to nasa.gov, used by malware  to check for an active internet connection

 

Shown above: Post infection traffic shows malware sending outbound data via a .bin file

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 94e56e1c05a526229fc832dfedb0b9a5 – 2016-03-23-q6d9-a391sh-top-Angler-EK.swf
    Virus Total Link
  • 11d515c2a2135ca00398b88eebbf9299 – 2016-03-23-q6d9-a391sh-top-cmdidWCN.exe
    Virus Total Link