Angler EK sends NeutrinoBot, Andromeda and Lethic


NOTES:
Today’s Angler infection chain led to Bedep, TeslaCrypt and a third payload which fits the pattern of the Neutrino, Adromedia and Lethic Botnet. The botnet pattern was identified by
@malwrhunterteam , @Techhelplistcom and @mesa_matt .

 

ASSOCIATED DOMAINS:

  • www.airikaowen.com – COMPROMISED SITE
  • 185.46.11.64 – graceful.philgrawberg.com – GET /topic/ – ANGLER LANDING PAGE
  • 46.101.17.191 – asd.yasyka1lyamhochy.info – GET /megaadvertize/ – admedia GATE
  • 104.73.195.113 – www.ecb.europa.eu – Bedep INTERNET CONNECTION CHECK
  • 23.229.240.164 – drlarrybenovitz.com – POST /qhcka/templates/binarystings.phpPOST INFECTION TRAFFIC [TeslaCrypt]
  • 160.153.63.4 – holishit.in – POST /wp-content/plugins/wpclef/assets/src/sass/neat/grid/binarystings.phpPOST INFECTION TRAFFIC [TeslaCrypt]

POST INFECTION TRAFFIC ASSOCIATED WITH BEDEP:

  • 198.105.244.228 – NUMEROUS DOMAIN GENERATED NAMES
  • 104.193.252.245 – NUMEROUS DOMAIN GENERATED NAMES

POST INFECTION TRAFFIC ASSOCIATED WITH BOTNET:

  • 171.35.182.56 – dom.altincopps.com – POST /dom/tasks.php
  • 107.155.99.135 – domand.altincopps.com – POST /domand/gate.php
  • 217.23.15.136 – POST INFECTION TRAFFIC [LETHIC]

 

IMAGES and DETAILS:

Shown above: Compromised site leading to Angler EK landing page

 

Shown above: iframe injection in index page of compromised site redirecting to Angler landing page

 

Shown above: Post TeslaCrypt infection with new URI structure “binarystings.php

 

Shown above: Post Andromeda style traffic (PRE-COMPUTER RESTART)

 

Shown above: Post infection registry entries. Highlighted .exe shows botnet payload (PRE-COMPUTER RESTART)

 

Shown above: Registry entries after restart consistent with Lethic bonet. See zscaler.com research [HERE]

 

Shown above: After restart of infected computer Lethic Bonet download of .exe payloads shown above in registry

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

 

FINAL NOTES:
The analysis was performed to track the infection chain traffic and not so much as to identify the exact variant of malware. A download link was provided should you wish to further analyze.

Again thank you to @malwrhunterteam , @Techhelplistcom and @mesa_matt . I follow them on twitter. If you are interested in malware they provide a great source of malware information.