2016-02-23 - TWO EXAMPLES OF ADMEDIA ANGLER EK

PCAPS AND MALWARE:

• ZIP archive of both PCAPs:  2016-02-23-Admedia-Angler-EK-both-pcaps.zip  2.0 MB (1,987,472 bytes)
• ZIP archive of malware and artifacts:  2016-02-23-Admedia-Angler-EK-malware-and-artifacts.zip  857.5 kB (857,471 bytes)

 

NOTES:

• Kafeine recently reported seeing Angler EK using the CVE-2016-0034 Silverlight exploit ( link ).
• I've had some issues with my Windows hosts and haven't been able to generate Angler EK sending the Silverlight exploit just yet.
• For links about "admedia" Angler EK, see my previous blog entry here.

 

DETAILS

DATE/TIME:  2016-02-23 21:33 UTC

• www.destinationcyber.com - Compromised website [with injected script]
• 188.166.149.17 port 80 - css.ogromnuezadnicu.info - "admedia" style gate
• 185.46.11.32 port 80 - gg.bluehousevalue.com - Angler EK
• 77.73.81.35 port 80 - www.big-cola.com - POST /imgs/videos/bsts.php   [TeslaCrypt callback traffic]

 

Shown above:  Traffic from the first pcap filtered in Wireshark.

 

Shown above:  Injected script in page from the compromised website.

 

DATE/TIME:  2016-02-23 22:54 UTC

• straightpathsql.com - Compromised website
• straightpathsql.com - GET /wp-includes/js/jquery/jquery.js?ver=1.11.3   [.js file with injected script]
• straightpathsql.com - GET /wp-content/themes/delegate-new/includes/js/general.js?ver=4.3.1   [.js file with injected script]
• 188.166.149.53 port 80 - cdn.gdegetumoyakoza.info - "admedia" style gate
• 185.46.11.32 port 80 - chin.chanheartkim.com - Angler EK
• 77.73.81.35 port 80 - www.big-cola.com - POST /imgs/videos/bsts.php   [TeslaCrypt callback traffic]

 

Shown above:  Traffic from the first pcap filtered in Wireshark.

 

Shown above:  Example of injected script in .js files from the compromised website.

 

$ md5sum *.exe

• 115566475d45f8771549d7502155912e   2016-02-23-Admedia-Angler-EK-payload-TeslaCrypt-after-destinationcyber.com.exe
• 23fd5372ad12ffd587247cc826552f92   2016-02-23-Admedia-Angler-EK-payload-TeslaCrypt-after-straightpathsql.com.exe

$ md5sum *.swf

• 3b93c04c7aba63df3d6a0f33dda60aeb   2016-02-23-Admedia-Angler-EK-flash-exploit-after-destinationcyber.com.swf
• 98a4ecd2bbc8f0551d17022bc911b812   2016-02-23-Admedia-Angler-EK-flash-exploit-after-straightpathsql.com.swf

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of both PCAPs:  2016-02-23-Admedia-Angler-EK-both-pcaps.zip  2.0 MB (1,987,472 bytes)
• ZIP archive of malware and artifacts:  2016-02-23-Admedia-Angler-EK-malware-and-artifacts.zip  857.5 kB (857,471 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.