2016-04-04 - ANGLER EK FROM 198.16.89[.]55 SENDS BEDEP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-04-04-Angler-EK-sends-Bedep.pcap.zip  784.6 kB (784,624 bytes)
• 2016-04-04-Angler-EK-and-Bedep-files.zip  436.4 kB (436,397 bytes)

 

NOTES:

• Threatglass had an entry for this compromised site yesterday, and the pcap from that entry shows Rig EK.

• Today, going to the compromised site generated Angler EK.
• Seeing a lot of Angler EK lately generate Bedep traffic.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• womenshoesweb[.]net - GET /jss/   -   First unusual URL generated by compromised site
• womenshoesweb[.]net - GET /ya/rK2M8tX6EgLqbFVyTc_NZA/1459797806   -   Returned 302 redirect to Angler EK landing page
• 198.16.89[.]55 port 80 - ossenmarktenunwissentlich.mercerstreet[.]london   -   Angler EK
• www.ecb.europa[.]eu - GET /stats/eurofxref/eurofxref-hist-90d.xml   -   Bedep connectivitivy
• 82.141.230[.]141 port 80 - mhdvcwwgditvkq0k[.]com - POST /forum.php   -   Bedep post-infection
• 95.211.205[.]228 port 80 - tdngsjjipnhdczrl[.]com - POST /include/blog_functions_search.php   -   Bedep post-infection
• 95.211.205[.]228 port 80 - tdngsjjipnhdczrl[.]com - POST /calendar.php   -   Bedep post-infection
• 95.211.205[.]228 port 80 - tdngsjjipnhdczrl[.]com - POST /list.php   -   Bedep post-infection
• 95.211.205[.]228 port 80 - tdngsjjipnhdczrl[.]com - POST /register.php   -   Bedep post-infection
• 95.211.205[.]228 port 80 - tdngsjjipnhdczrl[.]com - POST /css.php   -   Bedep post-infection
• 85.25.41[.]95 port 80 - jjiwoow.mjobrkn3[.]eu - GET /ads.php?sid=1901   -   Click-fraud traffic begins

 

Click here to return to the main page.