Angler Exploit sends Bedep, TeslaCrypt Ransomware and Andromedia

ASSOCIATED DOMAINS:

  • 80.87.194.218 – behave.nualias.com – GET /ed/n/084/ – Angler EK LANDING PAGE
  • 104.73.195.113 – www.ecb.europa.eu – Bedep CONNECTION CHECK
  • 198.105.244.228 – iednxjurmcz2x.com – POST /forum.php – Bedep POST INFECTION TRAFFIC
  • 195.22.28.199 – ebcqpcqdbli44.com – POST /include/database_error_page.html – Bedep POST INFECTION TRAFFIC
  • 208.100.26.234 – jdgrbwdcfzpcllt0.com – POST /content.php – Bedep POST INFECTION TRAFFIC
  • 82.141.230.141 – hmkkzfwjbpym.com – POST /include/class_dm_blog_rate.php – Bedep POST INFECTION TRAFFIC
  • 104.193.252.245 – POST /showpost.php – Bedep POST INFECTION TRAFFIC
  • 72.41.18.2 – helcel.com – POST /sys_init.phpTeslaCrypt POST INFECTION TRAFFIC
  • 171.35.182.56 – dom.altincopps.com – POST /dom/tasks.php Andromedia POST
  • INFECTION TRAFFIC
  • 103.234.36.148 – GET /domand789.exeAndromedia POST INFECTION TRAFFIC
  • 162.221.183.108 – GET /m/795473.zip – POST INFECTION TRAFFIC
  • 162.221.183.108 – GET /m/1721863.zip – POST INFECTION TRAFFIC
  • 162.221.183.108 – GET /m/257725.zip – POST INFECTION TRAFFIC
  • 162.221.183.108 – GET /m/043828.zip – POST INFECTION TRAFFIC
  • 162.221.183.108 – GET /m/143426.zip – POST INFECTION TRAFFIC
  • 162.221.183.108 – POST /test.php – POST INFECTION TRAFFIC
  • 107.155.99.135 – domand.altincopps.com – POST /domand/gate.phpAndromedia POST INFECTION TRAFFIC
  • 217.23.15.136 – GET/ – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Injected iframe in compromised site index page redirecting to Angler exploit landing page

 

Shown above: Angler Exploit Kit landing page

 

Shown above: Packet 3860 shows Angler exploiting flash and packet 4913 shows payload masked as a shockwave-flash file

 

Shown above: Packet 4913 shows payload masked as shockwave-flash file

 

Shown above: Bedep post infection traffic

 

Shown above: Andromedia post infection traffic

 

Shown above: TeslaCrypt ransom note

 

EXPLOITS AND PAYLOAD FROM ANGLER EK:

 

UPDATED POST INFECTION ARTIFACTS: