Angler Exploit Kit from 185.46.11.166 sends Bedep and TeslaCrypt Ransomware

NOTES:
More of the same Angler exploit kit, TeslaCrypt and Bedep traffic over the weekend. Continue to see Angler sending its payload masked as an application/zip.

 

ASSOCIATED DOMAINS:

  • 185.46.11.166 – resonant.mafiaunderwear.com – GET /topic/ – Angler LANDING PAGE
  • 198.105.244.228 – Bedep POST INFECTION TRAFFIC
  • 195.22.28.199 – Bedep POST INFECTION TRAFFIC
  • 82.141.230.141 – Bedep POST INFECTION TRAFFIC
  • 104.193.252.245 – Bedep POST INFECTION TRAFFIC
  • 217.70.180.150 – hotcasinogames.org – POST /binfile.php – POST INFECTION TRAFFIC [TeslaCrypt]
  • 107.180.43.132 – goldberg-share.com – POST /wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/binfile.php – POST INFECTION TRAFFIC [TeslaCrypt]

 

IMAGES and DETAILS:

Shown above: Redirect from compromised site to Angler landing page via iframe injection script

 

Shown above: Packet 3458 shows Angler EK payload via a masked application/zip

 

Show above: Packet 3458 showing content type masked as application/zip. If this was a true zip file the first two characters would be PK

 

MD5 HASHES FOR EXPLOITS AND PAYLOAD FROM ANGLER EK:

  • 5923e074fd206be6803c700dd1d8db9f – 2016-04-04-resonant-mafiaunderwear-com-Angler-ek.swf
    Virus Total Link
  • 40539661254bbd8dfeb9f8f22684c291 – 2016-04-04-resonant-mafiaunderwear-com-Bedep.dll
    Virus Total Link
  • 73b6567e0fb62eeb98aeaa8af712c650 – 2016-04-04-resonant-mafiaunderwear-com-TeslaCrypt.exe
    Virus Total Link