Angler Exploit Kit from 185.106.122.81 sends Gootkit

NOTES:
In a May 17th, 2016 Post “Neutrino Exploit Kit sends GootKit and more” I reported how the Neutrino Exploit Kit had sent Gootkit. Today I saw the Angler Exploit Kit sending Gootkit. Below are the details.

 

ASSOCIATED DOMAINS:

  • 85.93.0.72 – blog.grinblu.eu – EITEST GATE
  • 185.106.122.81 – j298fz.vaiyz4.top – Angler EK LANDING PAGE
  • 148.100.111.208 – stworke.com – POST INFECTION TRAFFIC
  • 198.105.254.228 – gtw0rke.com – POST INFECTION TRAFFIC
  • 198.105.254.228 – dtwoorke.com – POST INFECTION TRAFFIC
  • 66.240.194.139 – zumzisearch.com – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST gate using a “.eu” Top Level Domain (TLD) to redirect to Angler EK landing page

 

Shown above: Angler Exploit Kit landing page

 

Shown above: Using Wireshark filter “Follow Stream” shows the EITEST gate redirecting to Angler EK landing page

 

Shown above: Using Wireshark filter “ssl.handshake.certificates” shows
Self Signed SSL Certificate to “My Company Ltd” first noted in Emerging Threats Rules.

NOTE: In the previous Gootkit infection, traffic was transmitted via SSL. In this infection chain, this is the only SSL traffic. All post infection traffic was transmitted via port 80 however was not using the HTTP protocol.

 

Shown above: Windows Registry entry associated with file-less GootKit

 

ANGLER EK POST INFECTION ARTIFACTS: