2016-06-03 Angler Exploit Kit sends Kronos
NOTES:
- Kronos is an information stealing Trojan known as the Father of Zeus
- In 2015 malware-traffic-analysis.net posted Rig Exploit Kit infection chains sending Kronos found [HERE] and [HERE]
- The Angler Exploit Kit has not been seen since June 7th 2016 as reported by http://malware.dontneedcoffee.com
ASSOCIATED DOMAINS:
- 85.93.0.72 – zdiore.tk – EITEST GATE
- 93.115.38.104 – unt8p2.cemitanledhers.xyz – Angler EK LANDING PAGE
- 46.30.45.9 – BUYCOOLMATTER.INFO POST /X5YofLgo/connect.php – Kronos Check-In Command and Control (C2)
IMAGES and DETAILS:
Shown above: EITEST gate using the .tk Top Level Domain name and Angler exploit kit landing page using the .xyz (TLD)
Shown above: Script on EITEST gate redirecting to the Angler EK landing page
Shown above: Kronos post infection traffic check-in to Command and Control using a known URI structure connect.php
Shown above: Windows Registry entry associated with Kronos infection
Shown above: Kronos executable file details
Shown above: Angler Exploit Kit meta data
MALICIOUS PAYLOAD FROM ANGLER EK:
- 2016-06-03-Angler-EK.swf
Virus Total Link - 2016-06-03-e6399e8e.exe – (Kronos)
Virus Total Link