Threat Level: green Handler on Duty: Brad Duncan

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Thursday, July 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4553

Another example of Angler exploit kit pushing CryptoWall 3.0

Published: 2015-07-02
Last Updated: 2015-07-02 03:23:23 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Angler exploit kit (EK) has been evolving quite a bit lately.  Recently, this EK has been altering its URL patterns on a near-daily basis.  The changes accumulate, and you might not recognize current traffic generated by Angler.  After two weeks of vacation, I almost didn't recognize it.  This diary provides two traffic examples of Angler EK as we enter July 2015.

Angler EK still pushing a lot of CryptoWall 3.0

Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK.  We first noticed CryptoWall 3.0 from Angler near the end of May 2015 [1], and we've seen a great deal of it since then [2].  The CryptoWall 3.0 sample for today's diary used 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as a bitcoin address for the ransom payment.

Traffic examples

Traffic from Tuesday, 2015-07-01 shows Angler EK from 148.251.167.57 and 148.251.167.107 at different times during the day.  Click on the images below for a full-size view of the associated HTTP traffic from the infected Windows hosts.

The people at Emerging Threats do a good job of keeping their Snort-based signatures up-to-date through their ETOpen and Proofpoint ET Pro rulesets.  Below is an image of events from the infection traffic I saw using Suricata on Security Onion.

Preliminary malware analysis

Sample of a CryptoWall 3.0 malware payload delivered by Angler EK on 2015-07-01:

Final words

Pcap files of the 2015-07-01 infection traffic are available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[2] https://isc.sans.edu/diary/Increase+in+CryptoWall+30+from+malicious+spam+and+Angler+exploit+kit/19785

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Apple "Patch Tuesday"
1 day ago by Johannes (0 comments)

How Malware Campaigns Employ Google Redirects and Analytics
1 day ago by Lenny (3 comments)

The Powershell Diaries 2 - Software Inventory
3 days ago by Rob VandenBrink (5 comments)

The EICAR Test File
4 days ago by DidierStevens (6 comments)

Is Windows XP still around in your Network a year after Support Ended?
4 days ago by Guy (9 comments)

Cisco default credentials - again!
6 days ago by Daniel (1 comment)

Web security subtleties and exploitation of combined vulnerabilities
1 week ago by Bojan (4 comments)

View All Diaries →

Latest Discussions

Detecting lateral movement by NIDS/IPS (netcat or psexec)
created 2 days ago by DrGreen (1 reply)

Recommend InfoSec Books?
created 5 days ago by Anonymous (1 reply)

Security on Computer Names
created 1 week ago by Anonymous (1 reply)

Download the daily logs?
created 1 week ago by larry.guanneustar.biz (2 replies)

Wireshark upate - 1.12.6 has been released
created 2 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →