Angler Exploit Kit sends variant of Zeta Ransomware

ASSOCIATED DOMAINS:

  • 85.93.0.72 – biolexa.tk – EITEST GATE
  • 185.106.122.96 – x79.tx7pck9cx.top – Angler EK Landing Page
  • 109.248.32.173- POST /images/goic.php – POST INFECTION C2 CHECK-IN

 

IMAGES and DETAILS:

Shown above: EITEST gate leading to Angler EK landing page. This is the same EITEST gate used to send Gootkit yesterday. Angler Exploit Kit from 185.106.122.81 sends Gootkit

 

Shown above: Angler Exploit Kit landing page

 

Shown above: Ransomware post infection traffic and command and control (C2) check-in

 

Shown above: Packet for post infection traffic check-in to C2

 

Shown above: Ransom note HELP_YOUR_FILES.HTML

 

Shown above: Ransom note HELP_YOUR_FILES.TXT

 

Shown above: Ransomware encrypted and changed the file extension’s to _email_anx@dr.com_.scl

 

Shown above: Windows registry entry showing ransomware start-up directory. Note the malware installed itself into the Windows Roaming Profile. The Roaming Profile follows you around to each computer you log into on your local network.

 

MALICIOUS PAYLOAD FROM ANGLER EK:

 

REFERENCES: