Angler EK sends Andromeda botnet with TeslaCrypt ransomware

NOTES:
In yesterdays post I mentioned Angler was sending a Botnet payload along with Bedep and TeslaCrypt. Today I continue to see Angler using the flash exploit to send the Botnet payload which resembles Andromeda botnet.

ASSOCIATED DOMAINS:

  • 89.108.83.112 – unit.wnyma.biz – GET /topic/ – ANGLER LANDING PAGE
  • 104.73.195.113 – www.ecb.europa.eu – BEDEP INTERNET CONNECTION CHECK
  • 91.250.80.97 – naturstein-schubert.de – POST /modules/mod_cmscore/stringfile.phpPOST INFECTION TRAFFIC [TeslaCrypt]

POST INFECTION TRAFFIC ASSOCIATED WITH ANDROMEDA BOT:

  • 171.35.182.56 – dom.altincopps.com – POST /dom/tasks.php
  • 103.234.36.148 – GET /domand758.exe
  • 107.155.99.135 – domand.altincopps.com – POST /domand/gate.php
  • 217.23.15.136 – GET /82LAkjdbqwjbdqhdbdqkkdKJDSBssssjdzzz1asc1.exe

 

IMAGES and DETAILS:

Shown above: Using http.request filter shows compromised site and Angler EK landing page

 

Shown above: Examination of compromised site index page shows iframe injection with a redirect to Angler EK landing page

 

Shown above: Using http.content_type==”application/x-shockwave-flash” filter shows Angler EK landing page exploit flash version 19,0,0,245

 

Shown above: Using http.request.method eq POST filter shows TeslaCrypt post infection check-in with new URI pattern /stringfile.php

 

Shown above: Andromeda post infection check-in and download of “domand758.exe”

 

Shown above: TeslaCrypt returned to using .html file as ransom note

 

Shown above: Examination of infected computers registry shows directory and Andromeda payload

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: