Angler Exploit Kit sends Vawtrak with TeslaCrypt ransomware

ASSOCIATED DOMAINS:

  • 89.108.83.129 – ladybug.baldorabuilders.com – GET /topic/ – ANGLER LANDING PAGE
  • 46.101.17.191 – qwe.yasyka1lyamhochy.info – admedia style gate
  • 91.250.80.97 – naturstein-schubert.de – POST /modules/mod_cmscore/stringfile.phpPOST INFECTION TRAFFIC [TeslaCrypt]
  • 64.32.26.89 – nordijors.com – POST /data/feederPOST INFECTION TRAFFIC [Vawtrak]

 

IMAGES and DETAILS:

Shown above: pcap traffic showing compromised site redirecting to Angler Exploit Kit landing page

 

Shown above: Injected hexadecimal script in compromised site index page resulting in redirect to an admedia style gate qwe.yasyka1lyamhochy.info

 

Shown above: Copy and paste of injected hexadecimal script from compromised site index page shows admedia gate URL

 

Shown above: Second injected iframe found in compromised site index page redirecting to Angler EK landing page

 

Shown above: Extraction of flash exploit using File => Export Objects => HTTP

 

Shown above: Examination of flash meta data shows known pattern or signature for Angler Exploit Kit

 

Shown above: TeslaCrypt post infection traffic with latest URI structure /stringfile.php

 

Shown above: Vawtrak post infection traffic using known URI signature POST /data/feeder

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 139235791daa4b46ada1a7b7aa92991d – 2016-03-30-ladybug-baldorabuilders-com-Angler-ek.swf
    Virus Total Link
  • c0955fc62cc6bfcca6eb81be43bc9fbc – 2016-03-30-ladybug-baldorabuilders-com-TeslaCrypt.exe
    Virus Total Link
  • c51a60bc2cda6de73507097611c9bfae – 2016-03-30-ladybug-baldorabuilders-com-Vawtrak.dll
    Virus Total Link