ISC StormCast for Thursday, May 28th 2015 http://isc.sans.edu/podcastdetail.html?id=4503

Angler exploit kit pushing CryptoWall 3.0

Published: 2015-05-28
Last Updated: 2015-05-28 00:21:40 UTC
by Brad Duncan (Version: 1)
2 comment(s)

Introduction

In the past two days, I've infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24.  Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host where Angler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1].  On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host where Angler EK sent CryptoWall 3.0 as the malware payload.

I usually see Angler EK send different types of ransomware [2, 3], and I've seen plenty of CryptoWall 3.0 samples from Magnitude EK; however, this is the first time I've noticed CryptoWall from Angler EK.


Shown above: CryptWall 3.0 decrypt instructions from the 2015-05-27 sample

Traffic from the infected host

CryptoWall 3.0 traffic has changed a bit from my first diary about it on 2015-01-19 [4].  Traffic below was seen from the infected host on 2015-05-27 starting at 17:30 UTC.


Shown above: Angler EK and CryptWall 3.0 traffic as seen in Wireshark

Associated domains:

  • 216.245.213.5 port 80 - vanskeligstesjeverozapadne1.xadultchat.com - Angler EK
  • 91.184.19.41 port 80 - autorijschoolconsistent.nl - CryptoWall 3.0 check-in
  • 213.186.33.50 port 80 - jeanrey.fr - CryptoWall 3.0 check-in
  • 50.62.123.1 port 80 - 3bsgroup.com - CryptoWall 3.0 check-in
  • 75.103.83.9 port 80 - braingame.biz - CryptoWall 3.0 check-in
  • 62.221.204.114 port 80 - alsblueshelpt.nl - CryptoWall 3.0 check-in
  • 184.168.47.225 port 80 - ammorgan.net - CryptoWall 3.0 check-in
  • 79.96.220.223 port 80 - bezpiecznaswinka.pl - CryptoWall 3.0 check-in
  • 148.251.140.60 port 80 - asadiag.com - CryptoWall 3.0 check-in
  • 184.168.47.225 port 80 - alchemyofpresence.com - CryptoWall 3.0 check-in 
  • 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paygateawayoros.com - CryptoWall decrpyt instructions
  • 95.163.121.105 port 80 - 7oqnsnzwwnm6zb7y.paymentgateposa.com - CryptoWall decrpyt instructions
  • 7oqnsnzwwnm6zb7y.optionpaymentprak.com (didn't resolve in DNS) - CryptoWall decrpyt instructions
  • 7oqnsnzwwnm6zb7y.watchdogpayment.com (didn't resolve in DNS) - CryptoWall decrpyt instructions

Angler EK:

  • vanskeligstesjeverozapadne1.xadultchat.com - GET /molehill_inconsolably_erecting_prematureness/174208500231771131
  • vanskeligstesjeverozapadne1.xadultchat.com - GET /OEmjzR2jUP6JG0o9h494My_bK-qvpSFR6NcLcwz5j32hxI3s
  • vanskeligstesjeverozapadne1.xadultchat.com - GET /BjWMS7ksUcb9SztLJX7JlXe95voNnRcc7DfUJzRGbqTqKe8X

CryptoWall 3.0 check-in traffic:

  • ip-addr.es - GET /
  • autorijschoolconsistent.nl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?c=mr3jkiznke20nfh
  • jeanrey.fr - POST /wp-content/uploads/wpallimport/uploads/3aa8810fe8a85c3aeaf70245feaf0a41/img3.php?w=mr3jkiznke20nfh
  • 3bsgroup.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?t=mr3jkiznke20nfh
  • braingame.biz - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?x=mr3jkiznke20nfh
  • alsblueshelpt.nl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img3.php?n=mr3jkiznke20nfh
  • asambleadedios.org - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?z=mr3jkiznke20nfh
  • ammorgan.net - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img5.php?o=mr3jkiznke20nfh
  • bezpiecznaswinka.pl - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img2.php?k=mr3jkiznke20nfh
  • asadiag.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?q=mr3jkiznke20nfh
  • alchemyofpresence.com - POST /wp-content/plugins/revslider/temp/update_extract/revslider/img4.php?z=mr3jkiznke20nfh

Note: These URLs repeated several times with different random strings at the end.

Traffic caused by viewing the CryptoWall decrypt instructions in a browser:

  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /1kwN8ko
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/style.css
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/us.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/it.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rt.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/fr.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /picture.php?k=1kwn8ko&4d2156f57fb503178f62c2f95690e599
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/rb.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/es.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/flags/de.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lb.png
  • 7oqnsnzwwnm6zb7y.paygateawayoros.com - GET /img/lt.png


Shown above: Emerging Threats-based Snort events on the infection traffic using Security Onion

Preliminary malware analysis

Malware payload delivered by Angler EK on 2015-05-27:

Final words

A pcap of the 2015-05-27 infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2015/05/26/index.html
[2] https://isc.sans.edu/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
[3] http://malware-traffic-analysis.net/2015/03/25/index.html
[4] https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+30/19203

Keywords:
2 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
6 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
6 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives