Last Updated: 2016-01-15 16:31:20 UTC
by Brad Duncan (Version: 1)
Since August 2015, actors using Angler exploit kit (EK) to send ransomware have occasionally switched back and forth between Angler EK and Neutrino EK.
Sometime in mid-August 2015, actors using Angler EK to send ransomware switched to Neutrino EK . The next week, those actors were back to using Angler EK [2, 3] and we've seen the occasional switching back and forth since then.
I hadn't seen much Neutrino EK at all in November and December of 2015, but these actors switched back to Neutrino EK by the first week of January . This occasional switch between the two EKs can be confusing. I've seen this EK switch initially confuse more than one security professional .
As of Tuesday 2016-01-12, these actors are back to Angler EK. And as always, we continue to see malicious spam (malspam) as another vector for ransomware.
I've already noted how malspam has been used as a vector for CryptoWall, and we've seem different methods used by the malspam to deliver the malware, whether it's through links  or attachments .
In today's diary, I look at the two examples of CryptoWall from the same day. The first example is through Angler EK. The second example is from malspam with zipped .js attachments. All examples of CryptoWall I see now are version "4.0" first reported by BleepingComputer in November 2015 .
CryptoWall from Angler EK
On Tuesday 2016-01-22, I generated a CryptoWall infection after viewing a compromised website that led to Angler EK. The images below show some of the details.
Below are the Indicators of compromise (IOCs) for this EK-based CryptoWall infection:
- 18.104.22.168 port 80 - waddent-scarcediscerned.miloongles.com - Angler EK
- 22.214.171.124 port 80 - rosebenthomas.in - CryptoWall post-infection check-in
- 126.96.36.199 port 80 - checkpoint.ua - CryptoWall post-infection check-in
CryptoWall from malspam
On Monday 2016-01-11, someone submitted a malspam example to the ISC. (Thanks, Roland! You know who you are!) The malspam had a zipped .js attachment. One of the other handlers answered the submitter, saying the .js attachment was a file downloader, and CryptoWall was one of the files downloaded.
I checked my organization's spam filters and found the same type of malspam.
The malspam all had zipped .js files designed to download and install malware on a user's computer. We've seen malspam with zipped .js attachments before [9, 10, 11]. Even though this type of malspam can be blocked by email filtering, we still get notifications of it from people who still run across it.
The zipped .js file is extracted, and double-clicking on the extracted file will executed a heavily obfuscated script that will download and install malware to an unprotected Windows host.
The .js file generated two URLs that downloaded files using .jpg extensions; however, these were both malware. One was CryptoWall, and the other was Fareit/Pony or a Zeus variant.
I've seen enough CryptoWall, that I recognize the post-infection traffic from the CryptoWall ransomware. HTTP POST requests caused by the other malware triggered the following alerts for Zeus and Fareit/Pony:
- [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
- ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
- ETPRO TROJAN Fareit/Pony Downloader CnC response (sid:2805976)
Below are IOCs for this malspam-based CryptoWall infection:
- 188.8.131.52 port 80 - esrioterf.com - GET /img/script.php?dcm1.jpg [malware downloaded by the .js file]
- 184.108.40.206 port 80 - esrioterf.com - GET /img/script.php?dcm2.jpg [malware downloaded by the .js file]
- 220.127.116.11 port 80 - houstonpuryear.com - POST /wp-admin/images/images.php [Fareit/Pony traffic]
- 18.104.22.168 port 80 - mikeladeroute.com - POST /wp-content/themes/themes.php [Fareit/Pony traffic]
- 22.214.171.124 port 80 - mbuildersny.com - POST /wp-content/upgrade/upgrade.php [Fareit/Pony traffic]
- 126.96.36.199 port 80 - soulflix.com - POST /wp-includes/Text/Text.php [Fareit/Pony traffic]
- 188.8.131.52 port 80 - smoothmovin.com - POST /wp-content/uploads/uploads.php [Fareit/Pony traffic]
- 184.108.40.206 port 80 - post409.org - CryptoWall post-infection check-in
This really isn't a new development for CryptoWall-related traffic. I posted a diary about CryptoWall being sent through both Angler EK and malspam back in May 2015 , and I'm sure it was happening well before then. But the details are slightly different this time around, and it's always useful to confirm this type of activity is still happening.
Traffic and malware samples for this diary can be found here.
If you find any traffic or malware samples you think are interesting, use our contact form and upload a sample to us. We may not have time to examine every sample that comes our way (most of us are volunteers doing this as time allows), but we'll do our best. If anyone has any recent stories of CryptoWall or zipped .js malspam, please leave a comment below.