Introduction Last week, we saw the group behind a significant amount of Angler exploit kit (EK) switch to Neutrino EK [1]. We didn't know if the change was permanent, and I also noted that criminal groups using EKs have quickly changed tactics in the past. This week, the group is back to Angler EK. The past few days, I've noticed several examples Angler EK pushing TeslaCrypt 2.0 ransomware. For today's diary, we'll look at four examples of Angler EK on Tuesday 2015-08-25 from 16:42 to 18:24 UTC. All examples delivered the same sample of TeslaCrypt 2.0 ransomware. TeslaCrypt 2.0 TeslaCrypt is a recent family of ransomware that first appeared early this year. It's been known to mimic CryptoLocker, and we've seen it use the names TelsaCrypt and AlphaCrypt in previous infections [2, 3, 4]. According to Kaspersky Lab, version 2.0 of TeslaCrypt uses the same type of decrypt instructions as CryptoWall [5]. At first glance, an infected Windows host may look like it has CryptoWall; however, artifacts and traffic from the infected host reveal this is actually TeslaCrypt. Kafeine from Malware Don't Need Coffee first tweeted about the new ransomware on 2015-07-13 [6]. The next day on Securelist.com, Kaspersky Lab released details on this most recent version of TeslaCrypt [5]. I saw my first sample of TeslaCrypt 2.0 sent from Nuclear EK on 2015-07-20 [7]. Most TeslaCrypt 2.0 samples we've run across since then were delivered by Angler EK; however, we haven't seen a great deal of it. Until recently, most of the ransomware delivered by Angler EK was CryptoWall 3.0. By Tuesday 2015-08-25, we only saw Angler deliver TeslaCrypt 2.0. Angler EK traffic Websites compromised by this actor have the same style of injected code we saw last week; however, this time the iframes pointed to Angler EK. In most cases, the iframe led directly to the Angler EK landing page. In some cases, there is a gate (redirect) URL before getting to Angler.
Looking at the traffic in Wireshark, we find two different IPs and four different domains from the four Angler infections during a 1 hour and 42 minute time span.
See the images below for details. Preliminary malware analysis The malware payload was the same file for each infection. Although Angler EK sends its payload encrypted, I was able to grab a decrypted copy from an infected host before it deleted itself.
The following post-infection traffic was seen from the four infected hosts:
Malwr.com's analysis of the payload reveals additional IP addresses and hosts:
Snort-based alerts on the traffic I played back the pcap on Security Onion using Suricata with the EmergingThreats (ET) and ET Pro rule sets. The results show alerts for Angler EK and AlphaCrypt. The AlphaCrypt alerts triggered on callback traffic from TeslaCrypt 2.0. See the image below for details.
Screen shots from an infected host
Final words On the same cloned host with the same malware, we saw a different URL for the decrypt instructions each time. Every infection resulted in a different bitcoin address for the ransom payment, even though it was the same sample infecting the same cloned host. We continue to see EKs used by this and other criminal groups to spread malware. Although we haven't seen as much CryptoWall this week, the situation could easily change in a few days time. Traffic and malware for this diary are listed below:
The zip archive for the malware is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. --- References: [1] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/ |
Brad 435 Posts ISC Handler Sep 2nd 2015 |
Thread locked Subscribe |
Sep 2nd 2015 6 years ago |
As usual: MOSTLY HARMLESS (a.k.a. DONT PANIC)
The payload wont run on Windows hosts where SAFER alias Software Restriction Policies (or NTFS ACLs) deny execution in %USERPROFILE% |
Anonymous |
Quote |
Aug 26th 2015 6 years ago |
Not super important, but the links for pcaps and artifacts are switched.
Thanks for the post and the packets! |
Tim 3 Posts |
Quote |
Aug 29th 2015 6 years ago |
Thanks for the info! I corrected the links.
|
Brad 435 Posts ISC Handler |
Quote |
Sep 2nd 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!