Last Updated: 2015-07-02 03:23:23 UTC
by Brad Duncan (Version: 1)
Angler exploit kit (EK) has been evolving quite a bit lately. Recently, this EK has been altering its URL patterns on a near-daily basis. The changes accumulate, and you might not recognize current traffic generated by Angler. After two weeks of vacation, I almost didn't recognize it. This diary provides two traffic examples of Angler EK as we enter July 2015.
Angler EK still pushing a lot of CryptoWall 3.0
Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Angler near the end of May 2015 , and we've seen a great deal of it since then . The CryptoWall 3.0 sample for today's diary used 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as a bitcoin address for the ransom payment.
Traffic from Tuesday, 2015-07-01 shows Angler EK from 22.214.171.124 and 126.96.36.199 at different times during the day. Click on the images below for a full-size view of the associated HTTP traffic from the infected Windows hosts.
The people at Emerging Threats do a good job of keeping their Snort-based signatures up-to-date through their ETOpen and Proofpoint ET Pro rulesets. Below is an image of events from the infection traffic I saw using Suricata on Security Onion.
Preliminary malware analysis
Sample of a CryptoWall 3.0 malware payload delivered by Angler EK on 2015-07-01:
- File size: 240.0 KB ( 245760 bytes )
- MD5 hash: f52679c115377e42943b0427d968f891
- Detection ratio: 4 / 55
- First submitted: 2015-07-01 23:01:15 UTC
Pcap files of the 2015-07-01 infection traffic are available at:
A zip file of the associated malware is available at:
The zip file is password-protected with the standard password. If you don't know it, email firstname.lastname@example.org and ask.