2016-05-31 - PSEUDO-DARKLEECH ANGLER EK FROM 93.170.76.189 SENDS BEDEP/CRYPTXXX

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-05-31-pseudoDarkleech-Angler-EK-pcaps.zip   5.6 MB (5,596,031 bytes)

• 2016-05-31-pseudoDarkleech-Angler-EK-first-run-on-a-VM.pcap   (6,362,131 bytes)
• 2016-05-31-pseudoDarkleech-Angler-EK-second-run-on-a-normal-host.pcap   (3,452,711 bytes)

• ZIP archive of the malware and artifacts:  2016-05-31-pseudoDarkleech-Angler-EK-sends-Bedep-CryptXXX-artifacts.zip   655.4 kB (655,431 bytes)

• 2016-05-31-CryptXXX-decrypt-instructions.bmp   (6,220,854 bytes)
• 2016-05-31-CryptXXX-decrypt-instructions.html   (5,716 bytes)
• 2016-05-31-CryptXXX-decrypt-instructions.txt   (989 bytes)
• 2016-05-31-CryptXXX.dll   (204800 bytes)
• 2016-05-31-click-fraud-malware.dll   (405,312 bytes)
• 2016-05-31-page-from-ampmworld-wide.com-with-injected-pseudoDarkleech-script-first-run.txt   (35,347 bytes)
• 2016-05-31-page-from-ampmworld-wide.com-with-injected-pseudoDarkleech-script-second-run.txt   (41,570 bytes)
• 2016-05-31-pseudoDarkleech-Angler-EK-flash-exploit-both-runs.swf   (40,817 bytes)
• 2016-05-31-pseudoDarkleech-Angler-EK-landing-page-first-run.txt   (101,511 bytes)
• 2016-05-31-pseudoDarkleech-Angler-EK-landing-page-second-run.txt   (101,491 bytes)

 

NOTES:

• After 3 weeks of just sending CryptXXX through Angler EK, the pseudo-Darkleech campaign is back to using Bedep to send CryptXXX after Angler EK.
• Like last time, C:\Windows\System32\rundll32.exe was copied (without changing the name) to the same folder as the CryptXXX DLL file.

• Today's Click-fraud malware:  C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll
• Today's CryptXXX ransomware:  C:\Users\[username]\AppData\Local\Temp\{95CE819F-F0EA-4DEA-A565-721DF6F4992C}\api-ms-win-system-apds-l1-1-0.dll

• Background on the pseudo-Darkleech campaign is available here.
• Proofpoint's blog entries about CryptXXX can be found here and here.
• An ISC diary I wrote about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections is located here.
• On 2016-05-24, BleepingComputer reported CryptXXX was updated to version 3.0 (link) three days before I saw it on 2016-05-27 (link).

 

Shown above:  Flow chart for today's infection.

 

TRAFFIC

Shown above:  Pcap of the traffic on a normal host filtered in Wireshark.   http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

Shown above:  Pcap of the traffic on a VM filtered in Wireshark.

NOTE:  Bedep is very VM-aware, and it won't work properly on a VM, unless you've managed to adequately disguise it.  If not, a Bedep-infected VM will endlessly cycle through HTTP POST requests with different DGA domains and URL patterns.  No CryptXXX, no click-fraud malware, nothing else.  @Kafeine reported recent changes in Bedep behavior back in April 2016 showing how much more VM-aware it has become (link).

 

ANGLER EK:

• 93.170.76.189 port 80 - atlaspapier.webcopywriterjobs.co.uk

BEDEP POST-INFECTION TRAFFIC ON A NORMAL HOST:

• 85.17.31.82 port 80 - zspyvifafyzobebaju.com - POST /calendar.php
• 95.211.174.92 port 80 - utudabspcjgdi.com - POST /showpost.php
• 195.22.28.197 port 80 - kbwnovahahuvanm.com - POST /widget.php
• 82.141.230.141 port 80 - jkvkdgryjwhgnanm.com - POST /widget.php
• 104.193.252.241 port 80 - mnstwfwhmfqjileva.com - POST /css.php
• 104.193.252.241 port 80 - mnstwfwhmfqjileva.com - POST /include/functions.php
• 104.193.252.241 port 80 - mnstwfwhmfqjileva.com - POST /forum.php
• 104.193.252.241 port 80 - mnstwfwhmfqjileva.com - POST /content.php
• 104.193.252.241 port 80 - mnstwfwhmfqjileva.com - POST /include/class_dm_blog_trackback.php
• 104.193.252.241 port 80 - mnstwfwhmfqjileva.com - POST /include/functions.php

BEDEP POST-INFECTION TRAFFIC ON A VM:

• 198.105.244.228 port 80 - various domain names repeating endlessly - POST /[various URLs ending with].php

CRYPT-XXX POST-INFECTION TRAFFIC:

• 85.25.194.116 port 443 - custom-encoded TCP traffic
• 188.138.71.102 port 11643 - Traffic that contains the Windows username from the infected host

CLICK-FRAUD TRAFFIC BEGINS:

• 93.190.141.27 port 80 - cetinhechinhis.com - GET /adsc.php?sid=1957
• 95.211.205.218 port 80 - tedgeroatref.com - GET /adsc.php?sid=1957
• 104.193.252.236 port 80 - rerobloketbo.com - GET /adsc.php?sid=1957
• 162.244.34.11 port 80 - tonthishessici.com - GET /adsc.php?sid=1957
• 188.138.105.185 port 80 - kimpelasomasot.com - GET /adsc.php?sid=1957

 

IMAGES

Shown above:  Start of pseudo-Darkleech script from the compromised website.

 

Shown above:  Desktop of the Windows host after today's Angler EK/Bedep/CryptXXX infection.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-05-31-pseudoDarkleech-Angler-EK-pcaps.zip   5.6 MB (5,596,031 bytes)
• ZIP archive of the malware and artifacts:  2016-05-31-pseudoDarkleech-Angler-EK-sends-Bedep-CryptXXX-artifacts.zip   655.4 kB (655,431 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.