Angler EK from 188.120.254.113 Exploits Flash and Silverlight

PCAP files of the infection traffic:
2016-03-26-flash-exploit.pcap
2016-03-26-silverlight-exploit.pcap



ASSOCIATED DOMAINS: (Run one Flash exploit)

  • foodwastenews.com – COMPROMISED SITE
  • 188.120.254.113 – crabby.rusticbathtubs.com – GET /topic/ – ANGLER EK LANDING PAGE
  • 104.73.195.113 – www.ecb.europa.eu – BEDEP INTERNET CONNECTION CHECK
  • 87.238.192.67 – videoaminproduktion.de – POST /plugins/binstr.php – POST INFECTION TRAFFIC [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Referer shows redirect from compromised site to Angler landing page

 

Shown above: Angler EK for flash.

 

Shown above: Angler EK flash meta data

 

ASSOCIATED DOMAINS: (Run two Silverlight exploit)

  • foodwastenews.com – COMPROMISED SITE
  • 188.120.254.113 – knee.kaagsurveyors.com – GET /topic/ – ANGLER EK LANDING PAGE
  • 104.73.195.113 – www.ecb.europa.eu – BEDEP INTERNET CONNECTION CHECK
  • 87.238.192.67 – videoaminproduktion.de – POST /plugins/binstr.php – POST INFECTION TRAFFIC [TeslaCrypt]

 

Shown above: Referer shows redirect from compromised site to Angler landing page. Same IP address different domain name

 

Shown above: Angler EK for Microsoft Silverlight  CVE-2016-0034

 

Shown above: Angler Silverlight exploit extracted from packet 2408

 

Shown above: TeslaCrypt ransom note with new naming pattern

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: (Run one flash exploit)

  • 4fc010ba90fe046a3cd5d605c23fb696 – 2016-03-26-crabby-rusticbathtubs-com-Angler-EK.swf
    Virus Total Link
  • 2a4630c5c15d8f53b0b3dbe4f49e64e0 – 2016-03-26-crabby-rusticbathtubs-com-Bedep.dll
    Virus Total Link
  • 4767da4830027c3ac2c33b5f877c5a57 – 2016-03-26-crabby-rusticbathtubs-com-TeslaCrypt.exe
    Virus Total Link

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: (Run two Sliverlight exploit)

  • 2a4630c5c15d8f53b0b3dbe4f49e64e0 – 2016-03-26-knee-kaagsurveyors-com-Bedep.dll
    Virus Total Link
  • 34cc34d6dd8a37c79c4f6ca1373b053f – 2016-03-26-knee-kaagsurveyors-com-TeslaCrypt.exe
    Virus Total Link