Angler Exploit Kit from 185.141.27.143 sends Vawtrak

ASSOCIATED DOMAINS:

  • 85.93.0.81 – dcxdfr.tk – EITEST GATE
  • 185.141.27.143 – r7h7v.bipimc.top – Angler EK LANDING PAGE
  • 93.170.169.160 – soomigen.com – POST /data/feederVawtrak POST INFECTION TRAFFIC
  • 95.213.139.116 – GET /module/96df1c84c7fb13e880e399f9627e0db0 – Vawtrak POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Compromised site redirecting to EITEST Gate

 

Shown above: Using Wireshark filter “Follow Stream” shows Referer from compromised site to EITEST gate and EITEST gate script redirecting to Angler EK landing page

 

Shown above: Angler Exploit Kit landing page

 

Shown above: Using Wireshark File => Export Objects => HTTP shows Angler exploiting flash at packet 3908 and malicious payload delivered masked as a flash file at packet 4193

 

Shown above: Packet 4193 malicious payload packet masked as a flash file

 

Shown above: Vawtrak post infection traffic using known URI pattern “POST /data/feeder” and “GET /module

 

MALICIOUS PAYLOAD SENT BY ANGLER EK: