Another example of Angler exploit kit pushing CryptoWall 3.0

Published: 2015-07-02
Last Updated: 2015-07-02 03:23:23 UTC
by Brad Duncan (Version: 1)
2 comment(s)


Angler exploit kit (EK) has been evolving quite a bit lately.  Recently, this EK has been altering its URL patterns on a near-daily basis.  The changes accumulate, and you might not recognize current traffic generated by Angler.  After two weeks of vacation, I almost didn't recognize it.  This diary provides two traffic examples of Angler EK as we enter July 2015.

Angler EK still pushing a lot of CryptoWall 3.0

Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK.  We first noticed CryptoWall 3.0 from Angler near the end of May 2015 [1], and we've seen a great deal of it since then [2].  The CryptoWall 3.0 sample for today's diary used 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as a bitcoin address for the ransom payment.

Traffic examples

Traffic from Tuesday, 2015-07-01 shows Angler EK from and at different times during the day.  Click on the images below for a full-size view of the associated HTTP traffic from the infected Windows hosts.

The people at Emerging Threats do a good job of keeping their Snort-based signatures up-to-date through their ETOpen and Proofpoint ET Pro rulesets.  Below is an image of events from the infection traffic I saw using Suricata on Security Onion.

Preliminary malware analysis

Sample of a CryptoWall 3.0 malware payload delivered by Angler EK on 2015-07-01:

Final words

Pcap files of the 2015-07-01 infection traffic are available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email and ask.

Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: - Twitter: @malware_traffic



2 comment(s)


ive seen about 2 ANGLER hits a day in the last few weeks. 5 today alone, most all from
Yeah, saw another sample of CryptoWall 3.0 from Angler EK a few hours ago in that same IP address space. It was still using the same bitcoin address for ransom payment. Always nice to hear from other people who confirm seeing the same thing!

Diary Archives