Angler exploit kit pushes new variant of ransomware, (Tue, May 12th)


The Angler exploit kit (EK) is being used to push a new variant of TeslaCrypt/AlphaCrypt ransomware. Ive been documenting cases of Angler EK pushing AlphaCrypt in recent weeks [1][2][3]. Last week on 2015-05-07, I started seeing a new variant [4]. ” />

As seen below, this variant doesn” />

The same malware sample used a different bitcoin address for each host it infected.

Traffic Characteristics of this New Ransomware Variant

The traffic appears identical to what weve seen with previous infectionsfromTeslaCrypt and AlphaCrypt. A few hours ago” />
Shown above: ” />
Shown above: HTTP traffic from the infection. Click on the image to see it full-size.

A sample of the ransomware can be found at:

I infected 4 different hosts with Angler EK in a 5-hour timeframeand receivedthe same ransomware. It was the same file with the same hash each time. However, the bitcoin address for the ransom payment was different for each infected host.Shown below are decrypt pages from” />

Here are the bitcoin addresses fromthese infected hosts:

  • 14ctiiDNPLNh2YqmHFaPexAasi6vL5cqKX
  • 1K23HDxnozzdfnzgmLeGGUkwyqpPmucnQS
  • 1KcYaNQFsSm5hPX36Y855jsjceazoB3MXZ
  • 1QJmYhyBWrjCDqvYmk6hh4drpX7NN7TVxq

Pcap files of the infection traffic (Angler EK and the post-infection) are available at:

Final Words

From what I can tell, TeslaCrypt and AlphaCrypt are very similar to CryptoLocker. This new, unnamed variant appears to be another evolution from this family of ransomware.

Ive been seeing a lot of Angler EK lately. In recent weeks, more often than not, its been pushing this new ransomware.

Brad Duncan, Security Researcher at Rackspace
Blog: – Twitter: @malware_traffic



(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.