Angler Exploit Kit from 185.46.11.166 sends Bedep and TeslaCrypt Ransomware
NOTES:
More of the same Angler exploit kit, TeslaCrypt and Bedep traffic over the weekend. Continue to see Angler sending its payload masked as an application/zip.
ASSOCIATED DOMAINS:
- 185.46.11.166 – resonant.mafiaunderwear.com – GET /topic/ – Angler LANDING PAGE
- 198.105.244.228 – Bedep POST INFECTION TRAFFIC
- 195.22.28.199 – Bedep POST INFECTION TRAFFIC
- 82.141.230.141 – Bedep POST INFECTION TRAFFIC
- 104.193.252.245 – Bedep POST INFECTION TRAFFIC
- 217.70.180.150 – hotcasinogames.org – POST /binfile.php – POST INFECTION TRAFFIC [TeslaCrypt]
- 107.180.43.132 – goldberg-share.com – POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/binfile.php – POST INFECTION TRAFFIC [TeslaCrypt]
IMAGES and DETAILS:
Shown above: Redirect from compromised site to Angler landing page via iframe injection script
Shown above: Packet 3458 shows Angler EK payload via a masked application/zip
Show above: Packet 3458 showing content type masked as application/zip. If this was a true zip file the first two characters would be PK
MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:
- 5923e074fd206be6803c700dd1d8db9f – 2016-04-04-resonant-mafiaunderwear-com-Angler-ek.swf
Virus Total Link - 40539661254bbd8dfeb9f8f22684c291 – 2016-04-04-resonant-mafiaunderwear-com-Bedep.dll
Virus Total Link - 73b6567e0fb62eeb98aeaa8af712c650 – 2016-04-04-resonant-mafiaunderwear-com-TeslaCrypt.exe
Virus Total Link