Introduction Angler exploit kit (EK) has been evolving quite a bit lately. Recently, this EK has been altering its URL patterns on a near-daily basis. The changes accumulate, and you might not recognize current traffic generated by Angler. After two weeks of vacation, I almost didn't recognize it. This diary provides two traffic examples of Angler EK as we enter July 2015. Angler EK still pushing a lot of CryptoWall 3.0 Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Angler near the end of May 2015 [1], and we've seen a great deal of it since then [2]. The CryptoWall 3.0 sample for today's diary used 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as a bitcoin address for the ransom payment. Traffic examples Traffic from Tuesday, 2015-07-01 shows Angler EK from 148.251.167.57 and 148.251.167.107 at different times during the day. Click on the images below for a full-size view of the associated HTTP traffic from the infected Windows hosts. The people at Emerging Threats do a good job of keeping their Snort-based signatures up-to-date through their ETOpen and Proofpoint ET Pro rulesets. Below is an image of events from the infection traffic I saw using Suricata on Security Onion. Preliminary malware analysis Sample of a CryptoWall 3.0 malware payload delivered by Angler EK on 2015-07-01:
Final words Pcap files of the 2015-07-01 infection traffic are available at:
A zip file of the associated malware is available at: The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. --- References: [1] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737 |
Brad 387 Posts ISC Handler Jul 2nd 2015 |
Thread locked Subscribe |
Jul 2nd 2015 5 years ago |
ive seen about 2 ANGLER hits a day in the last few weeks. 5 today alone, most all from 148.251.167.0/24
|
TuggDougins 37 Posts |
Quote |
Jul 3rd 2015 5 years ago |
Yeah, saw another sample of CryptoWall 3.0 from Angler EK a few hours ago in that same IP address space. It was still using the same bitcoin address for ransom payment. Always nice to hear from other people who confirm seeing the same thing!
|
Brad 387 Posts ISC Handler |
Quote |
Jul 3rd 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!