Angler EK sends Bedep, TelsaCrypt – NEW C2’s

NOTES:
Post infection traffic “302036685.pub.ezanga.com – POST /rva.php” was also seen in an April 14th 2016 post “Malicious JS containing Nemucod downloads Miuref/Boaxxe and fake Ransomware”. Notepad.exe is an unknown post infection payload that I uploaded to malwr.com.

 

ASSOCIATED DOMAINS:

  • 82.146.54.19 – april.paypaybest.com – GET /redevelop/ – Angler LANDING PAGE
  • 23.79.203.241 – www.ecb.europa.eu – Bedep CONNECTION CHECK
  • 198.105.244.228 – lnmsxjzhuizwstec8t.com – POST /calendar.php – Bedep POST INFECTION TRAFFIC
  • 82.141.230.141 – bgbixqxbneszihbum.com – POST /forumdisplay.php – Bedep  POST INFECTION TRAFFIC
  • 104.193.252.245 – qnewvhdljyvlf.com – POST /poll.php – Bedep POST INFECTION TRAFFIC
  • 103.57.24.251 – 13343225565.com – POST /mzfile.phpTeslaCrypt POST INFECTION TRAFFIC
  • 185.12.108.138 – 4turka.com – POST /images/mzfile.php TeslaCrypt POST INFECTION TRAFFIC
  • 108.168.157.141 – 302036685.pub.ezanga.com – POST /rva.phpPOST INFECTION TRAFFIC

 

Updated – HTTPS POST INFECTION TRAFFIC:

  • 23.235.40.143 – United States, AS54113 Fastly, San Francisco, CA,
  • 69.172.216.161 – United States, AS7415 Integral Ad Science, Inc., New York, NY
  • 8.39.37.45 – United States, AS26667 The Rubicon Project, Inc.,
  • 194.28.172.218 – Ukraine, AS42655 ON-LINE Ltd, Vinnitsa

 

IMAGES and DETAILS:

Shown above: Compromised site redirects to Angler landing page

 

Shown above: Packet 1530 shows Angler flash exploit is a little smaller in size 24 kB than usual and packet 3222 shows malicious payload masked as a “x-shockwave-flash” file

 

Shown above: Meta data from Angler’s flash exploit

 

Shown above: TeslaCrypt Post infection traffic communicating with new C2 URI pattern

 

Shown above: TeslaCrypt ransom note

 

EXPLOITS AND PAYLOAD FROM ANGLER EK: