Angler EK sends TeslaCrypt – Payload delivery back to octet-stream

NOTES:
Yesterday I noticed new Angler EK payload delivery methods and a new start-up location. It is not uncommon to see Angler send its payload masked as a text/html. Yesterday I noticed a change in this pattern. In these two infection chains Angler is back to sending its payload as an octet-stream.  In the second infection chain TeslaCrypt named its .exe file as BitlockerWizard.exe and moved its payload to the users roaming folder. The normal start-up location is usually in the users documents folder.

ANGLER LANDING PAGES:

  • 89.108.83.114 – nimble.teedee365.com –ANGLER EK LANDING PAGE
  • 89.108.83.116 – damaging.epoxyhardwoodfloor.ca – GET /topic/ – ANGLER LANDING PAGE

POST TESLACRYPT RANSOMWARE TRAFFIC [C2]:

  • 160.153.51.192 – csskol.org – POST /wp-content/plugins/js_composer/assets/lib/font-awesome/src/assets/font-awesome/fonts/stringfile.php
  • 23.229.166.194 – casasembargada.com – POST /wp-content/plugins/formcraft/php/swift/lib/classes/Swift/Mime/HeaderEncoder/stringfile.php

 

Shown above: Compromised site and Angler EK landing page [Site one]

 

Shown above: Angler flash exploit and malicious payload via octet-stream [Site one]

 

Shown above: Compromised site and Angler EK landing page [Site two]

 

Shown above: Angler flash exploit and malicious payload via octet-stream [Site two]

 

Shown above: Using regedit you can see TeslaCrypt executable installed in users roaming folder and executable named “BitlockerWizard.exe”

 

Shown above: TeslaCrypt executable file details

 

Shown above:  TeslaCrypt ransom note

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: [Site one]

  • aae97d9244e1bd1c174b924fb42aa62e – 2016-03-31-nimble-teedee365-com-Angler-ek.swf
    Virus Total Link
  • e898f9dceb8136e455515ade78ff42ac – 2016-03-31-nimble-teedee365-com-Bedep.dll
    Virus Total Link
  • 2cdaf060f1403a8ee6f21c24edad6bbd – 2016-03-31-nimble-teedee365-com-TeslaCrypt.exe
    Virus Total Link

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK: [Site two]