2016-04-20 - PSEUDO-DARKLEECH ANGLER EK SENDS BEDEP AND CRYPTXXX

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-04-20-pseudo-Darkleech-Angler-EK-pcaps.zip   7.9 MB (7,922,910 bytes)

2016-04-19-psuedo-Darkleech-Angler-EK-traffic.pcap   (4,737,274 bytes)

2016-04-20-pseudo-Darkleech-Angler-EK-traffic-first-run.pcap   (184,838 bytes)

2016-04-20-pseudo-Darkleech-Angler-EK-traffic-second-run.pcap   (3,683,146 bytes)

• ZIP archive of the malware and artifacts:  2016-04-20-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip   1.4 MB (1,387,338 bytes)

2016-04-19-page-from-amitandroy.com-with-injected-pseudo-Darkleech-script.txt   (95,258 bytes)

2016-04-19-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (40,379 bytes)

2016-04-19-pseudo-Darkleech-Angler-EK-landing-page.txt   (176,068 bytes)

2016-04-20-page-from-amitandroy.com-with-injected-pseudo-Darkleech-script-first-run.txt   (95,092 bytes)

2016-04-20-page-from-amitandroy.com-with-injected-pseudo-Darkleech-script-second-run.txt   (94,862 bytes)

2016-04-20-pseudo-Darkleech-Angler-EK-flash-exploit.swf   (66,569 bytes)

2016-04-20-pseudo-Darkleech-Angler-EK-landing-page-first-run.txt   (73,356 bytes)

2016-04-20-pseudo-Darkleech-Angler-EK-landing-page-second-run.txt   (73,376 bytes)

api-ms-win-system-localui-l1-1-0.dll   (270,336 bytes) - CryptXXX ransomware from 2016-04-20

api-ms-win-system-neth-l1-1-0.dll   (266,240 bytes) - CryptXXX ransomware from 2016-04-19

de_crypt_readme.bmp   (232,6734 bytes) - CryptXXX decrypt instructions

de_crypt_readme.html   (3,315 bytes) - CryptXXX decrypt instructions

de_crypt_readme.txt   (1,638 bytes) - CryptXXX decrypt instructions

mpr.dll   (344,064 bytes) - Click-fraud malware from 2016-04-20

shsetup.dll   (343,040 bytes) - Click-fraud clickfraud malware from 2016-04-19

 

NOTES:

• I first saw Bedep/CryptXXX from the pseudo-Darkleech campaign on Monday 2016-04-18, but I didn't realize what the ransomware was.
• Earlier this week, Proofpoint posted a blog about CryptXXX ransomware and how Angler EK and Bedep are being used to spread it (link).
• This is pretty important, since I've seen a lot of Angler EK from the pseudo-Darkleech campaign (the actors behind Reveton, according to Proofpoint).
• I'm guessing we'll see a lot more CryptXXX, now that pseudo-Darkleech Angler EK is pushing Bedep/CryptXXX instead of TeslaCrypt.
• Background on the pseudo-Darkleech campaign can be found here.

 

TRAFFIC

Shown above:  Pcap of the 2016-04-19 traffic filtered in Wireshark.

 

Shown above:  Pcap of the 2016-04-20 traffic filtered in Wireshark -- First run.

 

Shown above:  Pcap of the 2016-04-20 traffic filtered in Wireshark -- Second run.

 

ASSOCIATED DOMAINS:

• 95.215.108.99 port 80 - kendevilbitchs-padhouvermo.addictionmeditation.com - Angler EK on 2016-04-19
• 209.126.123.86 port 80 - hiyosihcreation.thelatinshot.com - Angler EK on 2016-04-20 (first run)
• 184.75.254.43 port 80 - kneveltjspilsugtige.lookuprx.com - Angler EK on 2016-04-20 (second run)

• 104.193.252.241 port 80 - lwvcdohevypyxyja.com - Bedep post-infection on 2016-04-19
• 104.193.252.241 port 80 - qrwzoxcjatynejejsz.com - Bedep post-infection on 2016-04-20
• 162.244.32.123 port 80 - eiwtljjjzxiy7k.com - more Bedep post-infection on 2016-04-19

• 146.0.42.68 port 443 - CryptXXX callback traffic on 2016-04-19
• 217.23.6.40 port 443 - CryptXXX callback traffic on 2016-04-20

• 5.199.141.203 port 80 - ranetardinghap.com - Post-infection click-fraud (both days)
• 93.190.141.27 port 80 - cetinhechinhis.com - Post-infection click-fraud (both days)
• 95.211.205.218 port 80 - tedgeroatref.com - Post-infection click-fraud (both days)
• 162.244.34.11 port 80 - tonthishessici.com - Post-infection click-fraud (both days)
• 104.193.252.236 port 80 - rerobloketbo.com - Post-infection click-fraud (both days)
• 207.182.148.92 port 80 - allofuslikesforums.com - Post-infection click-fraud (both days)

 

IMAGES

Shown above:  An example of the CryptXXX post-infection traffic on 2016-04-20.

 

Shown above:  Desktop of the infected host after the Angler EK/Bedep/CryptXXX infection on 2016-04-20.

 

Shown above:  Although the CryptXXX ransomwware deletes itself, the click-fraud malware stays resident on the system.
This is the click-fraud malware from 2016-04-19 and some associated registry entries.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-04-20-pseudo-Darkleech-Angler-EK-pcaps.zip   7.9 MB (7,922,910 bytes)
• ZIP archive of the malware and artifacts:  2016-04-20-pseudo-Darkleech-Angler-EK-malware-and-artifacts.zip   1.4 MB (1,387,338 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.