2015-11-10 - ANGLER EK SENDS TINBA BANKING TROJAN
ASSOCIATED FILES:
- ZIP archive of all three traffic runs: 2015-11-10-Angler-EK-traffic.zip 2.3 MB (2,283,765 bytes)
- ZIP archive of the malware: 2015-11-10-Angler-EK-artifacts-and-malware.zip 449.0 kB (449,009 bytes)
NOTES:
- I saw today's redirect traffic patterns last year on 2014-09-22 and 2014-10-02. Both of those led to Angler as well. (Angler EK look a lot different now than last year.)
- I've been running IE 11 with Flash Player 19.0.0.207 in my Windows test environment for the past week or so, but that host didn't get infected during today's first run.
- I switched to Flash Player 18.0.0.209 for the second run, but that Windows host still didn't get infected.
- I finally changed to a Windows host running IE 10 and Flash Player 14.0.0.125 for the third run, and that one was successfully infected.
- The payload appears to be Tinba, which you can read about at: https://securityintelligence.com/tinba-worlds-smallest-malware-has-big-bag-of-nasty-tricks/.
Shown above: Script injected into a page from the comrpomised website.
TRAFFIC
ASSOCIATED DOMAINS:
- 192.254.190.212 port 80 - www.morningsidetennis.com.au - Compromised website
- 31.184.192.206 port 80 - ymest.ml - Redirect
- 188.120.236.107 port 80 - seriosuluibastervictoria.net - Angler EK (first and second runs)
- 191.96.66.50 port 80 - lite.phasmidinsect.top - Angler EK (third run)
- 5.2.189.251 port 80 - edjjbiyhoyyi.co.in - Post-infection traffic (Tinba)
- 208.100.26.234 port 80 - exgttkdilkfj.me - Post-infection traffic (Tinba)
- 82.165.37.127 port 80 - exgttkdilkfj.biz - Post-infection traffic (Tinba)
- 91.221.67.30 port 80 - dufeloolteuv.co.in - Post-infection traffic (Tinba)
FIRST RUN (NO INFECTION):
- 2015-11-10 15:17:18 UTC - www.morningsidetennis.com.au - GET /
- 2015-11-10 15:17:21 UTC - ymest.ml - GET /banner.php?sid=4547AAB183B2331C79B30BBC37867B2909B745FAF4F0622A01264A8E00B66EEC95DF0
12E3D2273E21E797BA6FA98
- 2015-11-10 15:17:22 UTC - ymest.ml - GET /forum.php?id=4547AAB183B2331C79B30BBC37867B2909B745FAF4F0622A01264A8E00B66EEC95DF012
E3D2273E21E797BA6FA98
- 2015-11-10 15:17:23 UTC - seriosuluibastervictoria.net - GET /forums/index.php?PHPSESSID=cys3&action=o5oml94jpqohgos-t6tzob-l3el7g0-etn3hy6otq
xp3vvsgy2abfh_6ozm9n687-6dvm93ca6gw72msv07uwh6y2_n6z97bd
- 2015-11-10 15:17:26 UTC - seriosuluibastervictoria.net - GET /suddenly.webbookmark?million=&view=pXm&each=hHxT15u&just=m7HC9xG&gas=
DY5Y6Rw3o&actually=jT9_Y&ask=2IqALj&leg=&group=994wdi7&tooth=SYXw
- 2015-11-10 15:17:26 UTC - seriosuluibastervictoria.net - POST /forums/change.wrf?street=NaFDe5yu&contribute=&city=dGO3anWfw&sit=egoEedjcz&
literature=&wife=rn6ccv&music=&tree=lmdR&time=dcQLPq_yq_RR
- 2015-11-10 15:17:26 UTC - seriosuluibastervictoria.net - GET /suddenly.webbookmark?million=&view=pXm&each=hHxT15u&just=m7HC9xG&gas=
DY5Y6Rw3o&actually=jT9_Y&ask=2IqALj&leg=&group=994wdi7&tooth=SYXw
- 2015-11-10 15:17:30 UTC - seriosuluibastervictoria.net - POST /eye.muse?issue=gFd1O&similar=&fund=CfU_cuo6&specific=jk1kW1u4&thus=zjvLG65v&
go=&fail=8TK&themselves=ywWvn1MIfvHYXxKx
SECOND RUN (NO INFECTION):
- 2015-11-10 15:23:50 UTC - www.morningsidetennis.com.au - GET /
- 2015-11-10 15:23:57 UTC - ymest.ml - GET /banner.php?sid=4547AAB183B2331C79B80BB836CD702909EE06F8E9EC652D0832508301A77FE795D81
B73702E71A1516D72EBFB
- 2015-11-10 15:24:01 UTC - ymest.ml - GET /forum.php?id=4547AAB183B2331C79B80BB836CD702909EE06F8E9EC652D0832508301A77FE795D81B7
3702E71A1516D72EBFB
- 2015-11-10 15:24:01 UTC - seriosuluibastervictoria.net - GET /boards/viewforum.php?f=jkg1m&sid=emlz804623ukxe8lwsgk9x6ugbeyh3fndwgok7zkfvxo1
zxfhvfiguc9sd5m9hehb-gv5gawol0ft8zp-7gjbzd9yntpv1k
- 2015-11-10 15:24:04 UTC - seriosuluibastervictoria.net - GET /attention.fcgi?member=&away=kc6lPrqe-&old=&army=_L9mbs&under=m9-p7KV1Pa&
morning=hWZus2vn&when=0DTtiPc2_&foreign=e4d&stop=&defense=Zib
- 2015-11-10 15:24:04 UTC - seriosuluibastervictoria.net - POST /boards/win.php5?first=&contain=ptnVTh3D®ion=EeVPpg4&indicate=AFWWJUvUkw&
moment=kl7m5uAFjWtmcfkb9LPoydq
- 2015-11-10 15:24:05 UTC - seriosuluibastervictoria.net - GET /attention.fcgi?member=&away=kc6lPrqe-&old=&army=_L9mbs&under=m9-p7KV1Pa&
morning=hWZus2vn&when=0DTtiPc2_&foreign=e4d&stop=&defense=Zib
- 2015-11-10 15:24:09 UTC - seriosuluibastervictoria.net - POST /set.stc?horse=F8dEiXXWJ9&farm=bo2Qie1&movement=Vxgz&finger=wdxV&point=
cSGO8sRRoB&other=ftffR1&church=SCo&marriage=IeEv
THIRD RUN (INFECTION!):
- 2015-11-10 15:32:46 UTC - www.morningsidetennis.com.au - GET /
- 2015-11-10 15:32:56 UTC - ymest.ml - GET /video.php?sid=425AB2B199B724037AB059FA71C6293311B205FEF5E57F2A0B244D820ABD73FAD5D2
07303D2069F30128
- 2015-11-10 15:32:58 UTC - ymest.ml - GET /page.php?id=425AB2B199B724037AB059FA71C6293311B205FEF5E57F2A0B244D820ABD73FAD5D207
303D2069F30128
- 2015-11-10 15:32:59 UTC - lite.phasmidinsect.top - GET /civis/viewforum.php?f=29i5&sid=27t1160e971rjwr0.
- 2015-11-10 15:33:01 UTC - lite.phasmidinsect.top - GET /medical.srf?stock=6VYO&opinion=cJBdpA&easy=&plant=vXQxZ&stage=XWuiQJV7z&
state=nD8X9_J¢ral=PRDD3fs&instance=X5HuBq&the=vbZL
- 2015-11-10 15:33:12 UTC - lite.phasmidinsect.top - GET /research.dbm?there=&describe=jsn2&bed=8E9tb&great=HjYiZdV_cv--KeO0lzSDdvhfy
NQFzYmR6OdIB-X
- 2015-11-10 15:33:18 UTC - lite.phasmidinsect.top - GET /law.ascx?scene=&order=Pse236Im&decide=PZjo8oEz&before=&finger=wy3BXJuQ&charge=&
wide=ctNMkJxJr&young=&interact=vsTzsZXDAu278nE
- 2015-11-10 15:33:18 UTC - DNS query for j382ye74gduey6gy.cc [response: No such name]
- 2015-11-10 15:33:18 UTC - DNS query for edjjbiyhoyyi.me [response: 192.42.116.41]
- 2015-11-10 15:33:20 UTC - DNS query for edjjbiyhoyyi.me.uk [response: No such name]
- 2015-11-10 15:33:20 UTC - DNS query for edjjbiyhoyyi.biz [response: (nothing)]
- 2015-11-10 15:33:22 UTC - edjjbiyhoyyi.co.in - POST /jdhe7301he73yhd7i/ HTTP/1.0
- 2015-11-10 15:33:23 UTC - exgttkdilkfj.me - POST /jdhe7301he73yhd7i/ HTTP/1.0
- 2015-11-10 15:33:23 UTC - DNS query for exgttkdilkfj.me.uk [response: No such name]
- 2015-11-10 15:33:25 UTC - exgttkdilkfj.biz - POST /jdhe7301he73yhd7i/ HTTP/1.0
- 2015-11-10 15:33:25 UTC - DNS query for exgttkdilkfj.co.in [response: (nothing)]
- 2015-11-10 15:33:25 UTC - DNS query for rninnvvfsbok.me [response: (nothing)]
- 2015-11-10 15:33:27 UTC - DNS query for rninnvvfsbok.me.uk [response: (nothing)]
- 2015-11-10 15:33:28 UTC - DNS query for rninnvvfsbok.biz [response: (nothing)]
- 2015-11-10 15:33:28 UTC - DNS query for rninnvvfsbok.co.in [response: (nothing)]
- 2015-11-10 15:33:28 UTC - DNS query for dufeloolteuv.me [response: (nothing)]
- 2015-11-10 15:33:31 UTC - DNS query for dufeloolteuv.me.uk [response: (nothing)]
- 2015-11-10 15:33:31 UTC - DNS query for dufeloolteuv.biz [response: (nothing)]
- 2015-11-10 15:33:32 UTC - dufeloolteuv.co.in - POST /jdhe7301he73yhd7i/ HTTP/1.0
- 2015-11-10 15:33:33 UTC - dufeloolteuv.co.in - POST /jdhe7301he73yhd7i/ HTTP/1.0
- 2015-11-10 15:38:34 UTC - dufeloolteuv.co.in - POST /jdhe7301he73yhd7i/ HTTP/1.0
SNORT EVENTS
Significant signature hits after using tcpreplay on Security Onion with the Emerging Threats and ETPRO rulesets (without ET POLICY or ET INFO events):
- 192.254.190.212 port 80 - ET TROJAN Possible EITest Flash Redirect (sid:2019610)
- 31.184.192.206 port 80 - ET CURRENT_EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename (sid:2021752)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015 M2 (sid:2814691)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Angler EK Landing June 16 2015 M5 (sid:2811641)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Landing URI Struct Jul 29 M1 T2 (sid:2812225)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Flash Exploit June 16 2015 M1 (sid:2811526)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit (IE) Jun 16 M1 T2 (sid:2811829)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit M2 (sid:2811284)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Angler EK Flash Exploit (IE) Jun 16 M1 T3 (sid:2811882)
- 191.96.66.50 port 80 - ETPRO CURRENT_EVENTS Possible Angler EK Payload June 16 2015 M2 (sid:2811529)
- 191.96.66.50 port 80 - ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (1) (sid:2021970)
- 191.96.66.50 port 80 - ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (2) (sid:2021971)
- 192.42.116.41 port 80 - ET TROJAN Known Sinkhole Response Header (sid:2016803)
- 5.2.189.251 port 80 - ET TROJAN Tinba Checkin 2 (sid:2020418)
- 208.100.26.234 port 80 - ET TROJAN Tinba Checkin 2 (sid:2020418)
- 82.165.37.127 port 80 - ET TROJAN Tinba Checkin 2 (sid:2020418)
- 91.221.67.30 port 80 - ET TROJAN Tinba Checkin 2 (sid:2020418)
Significant signature hits from the Talos (Sourcefire VRT) registered ruleset using Snort 2.9.7.6 on Debian 7:
- 192.254.190.212 port 80 - [1:35180:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
- 192.254.190.212 port 80 - [1:32481:1] POLICY-OTHER Remote non-JavaScript file found in script tag src attribute
- [DNS server] port 53 - [1:28190:3] INDICATOR-COMPROMISE Suspicious .cc dns query
- 192.42.116.41 port 80 - [1:30320:2] BLACKLIST Connection to malware sinkhole
PRELIMINARY MALWARE ANALYSIS
ANGLER EK FLASH EXPLOIT - FIRST RUN:
File name: 2015-11-10-Angler-EK-flash-exploit-first-run.swf
File size: 75.8 KB ( 77,623 bytes )
MD5 hash: 7125e72ea05e8aa746e2545c90c772c4
SHA1 hash: a5e1590ff29b93de99c21dd8dfd63f0e1e3bf587
SHA256 hash: ceaf7e0069ee705ea47b93c52540f63e0635b33daa576a81be09b1ffb8382d6b
Detection ratio: 1 / 53
First submission: 2015-11-10 17:21:47 UTC
VirusTotal link: https://www.virustotal.com/en/file/ceaf7e0069ee705ea47b93c52540f63e0635b33daa576a81be09b1ffb8382d6b/analysis/
ANGLER EK FLASH EXPLOIT - SECOND RUN:
File name: 2015-11-10-Angler-EK-flash-exploit-second-run.swf
File size: 82.9 KB ( 84,898 bytes )
MD5 hash: 498e9abeea83d77506c3f50dc786052f
SHA1 hash: 4c7fbf8b2325e17346bbc91452ed25d7fa151f5e
SHA256 hash: cacff0ac8cfc0cd58fe6c3377c21d473e61ab7ca9c1e8ca0ba04d9ef3dd79909
Detection ratio: 1 / 53
First submission: 2015-11-10 17:22:05 UTC
VirusTotal link: https://www.virustotal.com/en/file/cacff0ac8cfc0cd58fe6c3377c21d473e61ab7ca9c1e8ca0ba04d9ef3dd79909/analysis/
ANGLER EK FLASH EXPLOIT - THIRD RUN:
File name: 2015-11-10-Angler-EK-flash-exploit-third-run.swf
File size: 51.7 KB ( 52894 bytes )
MD5 hash: 351eb1c661b0951f828927d1c1ff31af
SHA1 hash: aff180029e9c8a53b42cd3354e8bd6d7ff693e5c
SHA256 hash: 1d922897ebaae30b0626a87cb22ac3d6d175d7382383818d5c6f86e94cc6764f
Detection ratio: 2 / 53
First submission: 2015-11-10 17:22:17 UTC
VirusTotal link: https://www.virustotal.com/en/file/1d922897ebaae30b0626a87cb22ac3d6d175d7382383818d5c6f86e94cc6764f/analysis/
ANGLER EK MALWARE PAYLOAD (THIRD RUN) - TINBA:
File name: 2015-11-10-Angler-EK-malware-payload.exe
File name: C:\Users\[username]\AppData\Roaming\719F37CB\bin.exe
File size: 120.0 KB ( 122,880 bytes )
MD5 hash: 7d3629066390751e9824026a058626d4
SHA1 hash: 3a0b4b3032e59683e89df1945561d51898416ec8
SHA256 hash: 8150215095481c9ec360ea832243e12eda0257b3a005d7170efb799571ad8fca
Detection ratio: 2 / 52
First submission: 2015-11-10 17:22:29 UTC
VirusTotal link: https://www.virustotal.com/en/file/8150215095481c9ec360ea832243e12eda0257b3a005d7170efb799571ad8fca/analysis/
Malwr link: https://malwr.com/analysis/ZWQwNzE0ZDg0ZThkNDdkY2I5OGNjNjAxODIzOGUxNDY/
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of all three traffic runs: 2015-11-10-Angler-EK-traffic.zip 2.3 MB (2,283,765 bytes)
- ZIP archive of the malware: 2015-11-10-Angler-EK-artifacts-and-malware.zip 449.0 kB (449,009 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.