2015-02-10 - ANGLER EK FROM 151.80.94.250

ASSOCIATED FILES:

• ZIP of pcap from 2015-02-09:  2015-02-09-Angler-EK-traffic.pcap.zip
• ZIP of pcap from 2015-02-10:  2015-02-10-Angler-EK-traffic.pcap.zip

 

NOTES:

• No malware for this entry.  It's an Angler EK using "fileless" infection, and I'm not able to decrypt the malware payload from the pcap file.
• Just wanted to document recent traffic patterns I've seen for Angler.

 

ASSOCIATED DOMAINS

• 217.13.200.20 port 80 - technik-palast.de - Compromised website
• 151.80.94.250 port 80 - xhaustibleentrapada.globalsoccerassociation.com - Angler EK (2015-02-09 example)
• 151.80.94.250 port 80 - floorcleaner-kanriune.juegosdelasegundaguerramundial.com - Angler EK (2015-02-10 example)
• 173.224.126.40 port 80 - yvcuoclrigdoh5.com - Post infection - Bedep checkin
• 37.59.5.218 port 80 - afraid.magicmotors.xyz - Post-infection Fareit/Pony cownloader checkin

• 95.211.225.40 port 80 - news4news2015.com - Another compromised website during the 2015-02-10 post-infection traffic
• 207.182.135.187 port 80 - ncjeou-khb747bjg324yusjdfh9.djopmopytera.in - Angler EK during the 2015-02-10 post-infection traffic

 

CHAIN OF EVENTS - 2015-02-09

2015-02-09 - COMPROMISED WEBSITE AND ANGLER EK:

• 22:10:15 UTC - technik-palast.de - GET /

• 22:10:20 UTC - exhaustibleentrapada.globalsoccerassociation.com - GET /1eetn68o2p.php
• 22:10:24 UTC - exhaustibleentrapada.globalsoccerassociation.com - GET /5SipbRRlZfGojXkw1QCDVg3oFB9R-76EVJBuY32leaqIE1jNMAFAAvYTtdfrFEwC
• 22:10:35 UTC - exhaustibleentrapada.globalsoccerassociation.com - GET /P_Dk72z0BA-K3AeT3vy3DNUleFIecTw_iepkDAxOSKrqWqfduTSRaVyZuIWGDm0X

 

2015-02-09 - POST-INFECTION TRAFFIC:

• 22:10:27 UTC - www.earthtools.org - POST /timezone/0/0
• 22:10:28 UTC - ww.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 22:10:33 UTC - yvcuoclrigdoh5.com - POST /
• 22:10:36 UTC - yvcuoclrigdoh5.com - POST /
• 22:10:40 UTC - yvcuoclrigdoh5.com - POST /
• 22:10:58 UTC - afraid.magicmotors.xyz - POST /news.php
• 22:10:58 UTC - yvcuoclrigdoh5.com - POST /

 

CHAIN OF EVENTS - 2015-02-10

2015-02-10 - COMPROMISED WEBSITE AND ANGLER EK:

• 18:22:59 UTC - technik-palast.de - GET /

• 18:23:02 UTC - floorcleaner-kanriune.juegosdelasegundaguerramundial.com - GET /xzlw6g4c9w.php
• 18:23:03 UTC - floorcleaner-kanriune.juegosdelasegundaguerramundial.com - GET /Kz7PfrqxxXlgfSZm7ALTmQjzdr1_51Tmm4IHMCZxcExNteJqWq5RqnxKBg983f36
• 18:23:08 UTC - floorcleaner-kanriune.juegosdelasegundaguerramundial.com - GET /GbZ5TdlBnRwaHlTFeD1sh9fOp5o8LdjbhOXLiTiqzYKnTAxfwK_D3XJM8Fq5494V
• 18:23:14 UTC - floorcleaner-kanriune.juegosdelasegundaguerramundial.com - GET /Wipg9WjRJ4ZdZyR-y3yqTb-dXDBZZOYrC71PnKjjNi-QOmMBrdMlHD5L261zNrtc

 

2015-02-10 - POST-INFECTION TRAFFIC:

• 18:23:11 UTC - www.earthtools.org - POST /timezone/0/0
• 18:23:12 UTC - www.ecb.europa.eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 18:23:13 UTC - yvcuoclrigdoh5.com - POST /
• 18:23:14 UTC - yvcuoclrigdoh5.com - POST /
• 18:23:16 UTC - yvcuoclrigdoh5.com - POST /
• 18:23:23 UTC - afraid.magicmotors.xyz - POST /news.php
• 18:23:34 UTC - yvcuoclrigdoh5.com - POST /

 

2015-02-10 - POST-INFECTION CLICK FRAUD TRAFFIC BEGINS:

• 18:26:17 UTC - 64.79.74.35 port 80 - nolohe6terasco.net - GET /ads.php?sid=1923
• 18:26:17 UTC - 5.135.36.60 port 80 - bolkoaretanop.com - GET /ads.php?sid=1923
• 18:26:39 UTC - 5.135.36.60 port 80 - bolkoaretanop.com - GET /ads.php?sid=1923
• 18:26:41 UTC - 5.135.36.60 port 80 - bolkoaretanop.com - GET /r.php?key=56f090500f0b834b51ef239cfa4c8789
• 18:26:41 UTC - 64.79.74.35 port 80 - nolohe6terasco.net - GET /ads.php?sid=1923
• 18:26:41 UTC - 5.135.36.60 port 80 - bolkoaretanop.com - GET /r.php?key=56f090500f0b834b51ef239cfa4c8789
• 18:26:41 UTC - 64.79.74.35 port 80 - nolohe6terasco.net - GET /r.php?key=56f090500f0b834b51ef239cfa4c8789

 

2015-02-10 - ANGLER EK HAPPENS AGAIN DURING THE POST-INFECTION TRAFFIC:

• 18:26:43 UTC - news4news2015.com - GET /   - [redirects to Angler EK shown below]

• 18:26:43 UTC - ncjeou-khb747bjg324yusjdfh9.djopmopytera.in - GET /1tuqwnzkgn
• 18:26:47 UTC - ncjeou-khb747bjg324yusjdfh9.djopmopytera.in - GET /19gOKOXiHp8ZrZqkY2i5En9NpX6LnLEWSQPPE1pl281C4Qqm

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion (without ET POLICY or ET INFO events):

• 151.80.94.250 port 80 - ET CURRENT_EVENTS DRIVEBY Angler EK Landing Feb 04 2014 T1 (sid:2020367)
• 151.80.94.250 port 80 - ET CURRENT_EVENTS Angler EK Payload DL M1 Feb 06 2015 (sid:2020385)
• 151.80.94.250 port 80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
• 37.59.5.218 port 80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
• 173.224.126.40 port 80 - ET TROJAN Bedep Checkin Response (sid:2019952)
• 207.182.135.187 port 80 - ETPRO CURRENT_EVENTS DRIVEBY Angler EK Landing T1 Feb 02 2015 (sid:2809664)

Significant signature hits from the Talos (Sourcefire VRT) ruleset using Snort 2.9.7.0 on Debian 7:

• 217.13.200.20 port 80 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
• 37.59.5.218 port 80 - [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
• 207.182.135.187 port 80 - [1:33292:1] EXPLOIT-KIT Angler exploit kit landing page detected
• 207.182.135.187 port 80 - [1:33182:1] EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request

 

SCREENSHOT FROM THE TRAFFIC

Iframe in malicious javascript from compromised website pointing to Angler EK landing page:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of pcap from 2015-02-09:  2015-02-09-Angler-EK-traffic.pcap.zip
• ZIP of pcap from 2015-02-10:  2015-02-10-Angler-EK-traffic.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.