Angler Flash Exploit Infection Chain – New C&C

ASSOCIATED DOMAINS:

  • 89.108.83.163 – insect.stackexceed.com – GET /topic/ – Angler LANDING PAGE
  • 104.91.234.156 – www.ecb.europa.eu – Bedep CONNECT CHECK
  • 208.100.26.234 – lubcdbbhmwklotm2o.com – Bedep POST INFECTION TRAFFIC
  • 104.193.252.245 – jumtfutbdabxxtidj.com – Bedep POST INFECTION TRAFFIC
  • 23.229.239.227 – addagapublicschool.com – POST /binfile.php – TeslaCrypt POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site index page shows iframe injected script redirecting to Angler Exploit landing page

 

Shown above: Referer from compromised site to Angler landing page

 

Shown above: Extraction of flash exploit using File => Export Objects => HTTP

 

Shown above: After extracting flash exploit and saving as .swf file, decompiled using Flare (http://www.nowrap.de/flare.html) and examined flash meta data with text editor

 

Shown above: Packet 7127 shows Anglers payload delivery as a application/zip

 

Shown above: Examination of packet 7127 shows payload masked as a zip file. If this was a true zip file the first 2 characters of the packet would be PK

 

Shown above: Snort alerts generated by latest subscriber rule set

 

Shown above: Snort alerts generated by latest subscriber rule set and custom local.rules

 

Shown above: Snort custom local.rules focusing on URI content  /topic/

 

Shown above: Bedep dll payload drop directory

 

Shown above: TeslaCrypt payload drop directory

 

Shown above: TeslaCrypt ransom note

 

Shown above: Windows registry entry for Bedep start-up “hlink.dll”

 

Shown above: Windows registry entry for TeslaCrypt start-up

 

EXPLOITS AND PAYLOAD FROM ANGLER EK: