Angler EK – TeslaCrypt – NEW C2 URI Structure “binarystings.php”

PCAP file of the infection traffic:
2016-03-28-obsolete-allnewcountry-net.pcap

ASSOCIATED DOMAINS:

  • events.horizonswebsite.com – COMPROMISED SITE
  • 89.108.83.124 – obsolete.allnewcountry.net – GET /topic/ – ANGLER EK LANDING PAGE
  • 104.73.195.113 – www.ecb.europa.eu – BEDEP INTERNET CONNECTION CHECK
  • 23.229.240.164 – drlarrybenovitz.com – POST /qhcka/templates/binarystings.phpPOST INFECTION TRAFFIC [TeslaCrypt]
  • 160.153.63.4 – holishit.in – POST /wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.php POST INFECTION TRAFFIC [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: iframe script injection from compromised site sub-domain “events”

 

Shown above: Compromised site index page shows iframe redirect to Angler EK landing page

 

Shown above: Referer shows redirect from compromised site to Angler landing page

 

Shown above: Known Bedep signature to check for active internet connection

 

Shown above: TeslaCrypt post infection traffic. Highlighted area shows new command and control host (C2) URI structure “/binarystings.php

 

Shown above: Changes in TeslaCrypt ransom note and recovery instructions

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 6b9034bd52c3076a5e8f34a5c12bdb0c – 2016-03-28-obsolete-allnewcountry-net-Angler-EK.swf
    Virus Total Link
  • 7ae09161b9d911169d1b05f1b91f80be – 2016-03-28-obsolete-allnewcountry-net-Bedep.dll
    C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
    Virus Total Link
  • 9ff9fff36f6d7d76a12b09f9bf3c30bb – 2016-03-28-obsolete-allnewcountry-net-TeslaCrypt.exe
    Virus Total Link