Introduction
Last week, we saw the group behind a significant amount of Angler exploit kit (EK) switch to Neutrino EK [1]. We didnt know if the change was permanent, and I also noted that criminal groups using EKs have quickly changed tactics in the past. This week, the group is back to Angler EK.
The past few days, Ive noticed several examples Angler EK pushing TeslaCrypt 2.0 ransomware. For todays diary, well look at four examples of Angler EK on Tuesday 2015-08-25 from 16:42 to 18:24 UTC. All examples delivered the same sample of TeslaCrypt 2.0 ransomware.
TeslaCrypt 2.0
TeslaCrypt is a recent familyofransomware that first appeared early this year. Its beenknown to mimic CryptoLocker, and weve seen it use the names TelsaCrypt and AlphaCrypt in previous infections [2,3,4]. According to Kaspersky Lab, version 2.0 of TeslaCrypt usesthe same type of decrypt instructions as CryptoWall [5]. however, artifacts and traffic from the infected host reveal this is actuallyTeslaCrypt.
Kafeine from Malware Dont Need Coffee first tweeted about the new ransomware on 2015-07-13 [6]. The next day on Securelist.com, Kaspersky Lab released details on this most recent version of TeslaCrypt [5].
I saw my first sample of TeslaCrypt 2.0 sent from Nuclear EK on 2015-07-20 [7]. Most TeslaCrypt 2.0 samples weve run across since then were delivered by however, we havent seen a great deal of it. Until recently, most of the ransomware delivered by Angler EK was CryptoWall 3.0. however, this time the iframes pointed to Angler EK. In most cases, the iframe led directly to the Angler EK landing page. " />
Shown above: From the third example, the" />
Shown above: From the fourth example, theiframe pointing to an Angler EK landing page.
Looking at the traffic in Wireshark, we find two different IPs and four different domains from the four Angler infections during a 1 hour and 42 minute time span.">">. Although Angler EK sends its payload encrypted, I was able to grab a decrypted copy from an infected host before it deleted itself.
- File name: 2015-08-25-Angler-EK-payload-TeslaCrypt-2.0.exe
- File size: 346.9 KB (355,239 bytes)
- MD5 hash: 4321192c28109be890decfa5657fb3b3
- SHA1 hash: 352f81f9f7c1dcdb5dbfe9bee0faa82edba043b9
- SHA256 hash: 838f89a2eead1cfdf066010c6862005cd3ae15cf8dc5190848b564352c412cfa
- Detection ratio: 3 / 49
- First submission: 2015-08-25 19:51:01 UTC
- Virus Total analysis: link
- Malwr.com analysis: link
- Hybrid-Analysis.com analysis: link
The following post-infection traffic was seenfrom the four infected hosts:
- ipinfo.io - TCP port 80 (http) - IP address check
- 149.210.193.39 - TCP port 80 (http)- ledshoppen.nl - post-infection callback
- 192.185.171.111 - TCP port 80 (http) - www.micropiso.cl - post-infection callback
Malwr.coms analysis of the payload reveals additional IP addresses and hosts:
- 217.12.207.33 - TCP port 80 (http) - shmetterheath.ru
- 199.116.254.169 - TCP port 80 (http) - fgainterests.com
- 198.1.106.126 - TCP port 80 (http) - serenitynowbooksandgifts.com
- 198.1.106.126 - TCP port 80 (http) - www.serenitynowbooksandgifts.com
- 217.197.83.197 - TCP port 443 (encrypted) - kb63vhjuk3wh4ex7.onion.to
- 65.112.221.20 - TCP port 443 (encrypted) - kb63vhjuk3wh4ex7.tor2web.org
Snort-based alerts on the traffic
I played back the pcap on Security Onion using Suricata with the EmergingThreats (ET) and ET Pro rule sets. The results show alerts for Angler EK and AlphaCrypt. The AlphaCrypt alerts triggered on callback traffic from TeslaCrypt 2.0. " />
Shown above: Got a captcha when trying one of the URLs" />
Shown above: Final decrypt instructions with a bitcoin address for the ransom payment.
Final words
On the same cloned host with the same malware, we saw a different URLfor the decrypt instructions each time. Every infection resulted in a different bitcoin address for the ransom payment, even though it was the same sample infecting the same cloned host.
We continue to see EKs used by this and other criminal groups to spread malware. Although we havent seen as much CryptoWall this week, the situation could easily change in a few days time.
Traffic and malware for thisdiary are listed below:
- A zip archive of four pcap files with the infection traffic from Tuesday 2015-08-25 is available here. ">(4.14">MB)
- A zip archive of the malware and other artifacts is available here. ">(957 KB)
The zip archive for the malware is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.
---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
[2] http://www.malware-traffic-analysis.net/2015/04/03/index.html
[3] http://malware-traffic-analysis.net/2015/04/30/index.html
[4] http://www.malware-traffic-analysis.net/2015/05/07/index.html
[5] https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/
[6] https://twitter.com/kafeine/status/620533186305609728
[7] http://www.malware-traffic-analysis.net/2015/07/20/index.html