NOTES:

• Kronos is an information stealing Trojan known as the Father of Zeus
• In 2015 malware-traffic-analysis.net posted Rig Exploit Kit infection chains sending Kronos found [HERE] and [HERE]
• The Angler Exploit Kit has not been seen since June 7th 2016 as reported by http://malware.dontneedcoffee.com

ASSOCIATED DOMAINS:

• 85.93.0.72 – zdiore.tk – EITEST GATE
• 93.115.38.104 – unt8p2.cemitanledhers.xyz – Angler EK LANDING PAGE
• 46.30.45.9 – BUYCOOLMATTER.INFO POST /X5YofLgo/connect.php – Kronos Check-In Command and Control (C2)
  

IMAGES and DETAILS:

Shown above: EITEST gate using the .tk Top Level Domain name and Angler exploit kit landing page using the .xyz (TLD)

Shown above: Script on EITEST gate redirecting to the Angler EK landing page

Shown above: Kronos post infection traffic check-in to Command and Control using a known URI structure connect.php

Shown above: Windows Registry entry associated with Kronos infection

Shown above: Kronos executable file details

Shown above: Angler Exploit Kit meta data

MALICIOUS PAYLOAD FROM ANGLER EK:

• 2016-06-03-Angler-EK.swf
  Virus Total Link
• 2016-06-03-e6399e8e.exe  –  (Kronos)
  Virus Total Link