NOTES:
More of the same Angler exploit kit, TeslaCrypt and Bedep traffic over the weekend. Continue to see Angler sending its payload masked as an application/zip.

ASSOCIATED DOMAINS:

• 185.46.11.166 – resonant.mafiaunderwear.com – GET /topic/ – Angler LANDING PAGE
• 198.105.244.228 – Bedep POST INFECTION TRAFFIC
• 195.22.28.199 – Bedep POST INFECTION TRAFFIC
• 82.141.230.141 – Bedep POST INFECTION TRAFFIC
• 104.193.252.245 – Bedep POST INFECTION TRAFFIC
• 217.70.180.150 – hotcasinogames.org – POST /binfile.php – POST INFECTION TRAFFIC [TeslaCrypt]
• 107.180.43.132 – goldberg-share.com – POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/binfile.php – POST INFECTION TRAFFIC [TeslaCrypt]

IMAGES and DETAILS:

Shown above: Redirect from compromised site to Angler landing page via iframe injection script

Shown above: Packet 3458 shows Angler EK payload via a masked application/zip

Show above: Packet 3458 showing content type masked as application/zip. If this was a true zip file the first two characters would be PK

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

• 5923e074fd206be6803c700dd1d8db9f – 2016-04-04-resonant-mafiaunderwear-com-Angler-ek.swf
  Virus Total Link
• 40539661254bbd8dfeb9f8f22684c291 – 2016-04-04-resonant-mafiaunderwear-com-Bedep.dll
  Virus Total Link
• 73b6567e0fb62eeb98aeaa8af712c650 – 2016-04-04-resonant-mafiaunderwear-com-TeslaCrypt.exe
  Virus Total Link