Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Thursday, July 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4553

Another example of Angler exploit kit pushing CryptoWall 3.0

Published: 2015-07-02
Last Updated: 2015-07-02 03:23:23 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Angler exploit kit (EK) has been evolving quite a bit lately.  Recently, this EK has been altering its URL patterns on a near-daily basis.  The changes accumulate, and you might not recognize current traffic generated by Angler.  After two weeks of vacation, I almost didn't recognize it.  This diary provides two traffic examples of Angler EK as we enter July 2015.

Angler EK still pushing a lot of CryptoWall 3.0

Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK.  We first noticed CryptoWall 3.0 from Angler near the end of May 2015 [1], and we've seen a great deal of it since then [2].  The CryptoWall 3.0 sample for today's diary used 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as a bitcoin address for the ransom payment.

Traffic examples

Traffic from Tuesday, 2015-07-01 shows Angler EK from 148.251.167.57 and 148.251.167.107 at different times during the day.  Click on the images below for a full-size view of the associated HTTP traffic from the infected Windows hosts.

The people at Emerging Threats do a good job of keeping their Snort-based signatures up-to-date through their ETOpen and Proofpoint ET Pro rulesets.  Below is an image of events from the infection traffic I saw using Suricata on Security Onion.

Preliminary malware analysis

Sample of a CryptoWall 3.0 malware payload delivered by Angler EK on 2015-07-01:

Final words

Pcap files of the 2015-07-01 infection traffic are available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[2] https://isc.sans.edu/diary/Increase+in+CryptoWall+30+from+malicious+spam+and+Angler+exploit+kit/19785

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Apple "Patch Tuesday"
21 hours ago by Johannes (0 comments)

How Malware Campaigns Employ Google Redirects and Analytics
1 day ago by Lenny (3 comments)

The Powershell Diaries 2 - Software Inventory
2 days ago by Rob VandenBrink (4 comments)

The EICAR Test File
3 days ago by DidierStevens (6 comments)

Is Windows XP still around in your Network a year after Support Ended?
4 days ago by Guy (9 comments)

Cisco default credentials - again!
6 days ago by Daniel (1 comment)

Web security subtleties and exploitation of combined vulnerabilities
1 week ago by Bojan (4 comments)

View All Diaries →

Latest Discussions

Detecting lateral movement by NIDS/IPS (netcat or psexec)
created 1 day ago by DrGreen (1 reply)

Recommend InfoSec Books?
created 4 days ago by Anonymous (1 reply)

Security on Computer Names
created 1 week ago by Anonymous (1 reply)

Download the daily logs?
created 1 week ago by larry.guanneustar.biz (2 replies)

Wireshark upate - 1.12.6 has been released
created 2 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →