Angler Exploit Kit to TeslaCrypt

Posted By on February 18, 2016

There’s an excellent write up by Brad Duncan in the Internet Storm Center’s Handler Diaries on analyzing a compromise that used the Angler Exploit Kit to deliver TeslaCrypt.

From the article:

On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.

The chain started with a compromised website that generated an admedia gate.

The gate led to Angler EK.

Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.

·         178.62.122.211 – img.belayamorda.info – admedia gate
·         185.46.11.113 – ssd.summerspellman.com – Angler EK
·         192.185.39.64 – clothdiapersexpert.com – TeslaCrypt callback traffic

 Full write up is here.
Some of the obfuscation may seem daunting, but there’s a wealth of information on techniques to deobfuscate Javascript and other code. A lot of that information is in the Handlers Diaries itself. Here’s some other write ups from the ISC:
1. Decoding Javascript
2. Deobfuscating VB Script
3. Advanced Obfuscated Javascript Analysis
4. Javascript Traps For Analysts
5. Mixed (VBScript and JavaScript) Obfuscation
6. Browser *does* matter, not only for vulnerabilities – a story on JavaScript deobfuscation
7. V8 as an Alternative to SpiderMonkey for JavaScript Deobfuscation
8. Decoding Common XOR Obfuscation in Malicious Code
9. Javascript decoding round-up
And from other sites:
1. JavaScript Obfuscation – Manual Armor – Malware at Stake
2. Javascript Deobfuscation Tools (Part 1) – Kahu Security
3. Javascript Deobfucation Tools (Part 2) – Kahu Security

Source: http://jeffsoh.blogspot.com

Leave a Reply