Angler exploit kit pushing CryptoWall 3.0, (Thu, May 28th)

Introduction

In the past two days, Ive infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24. Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host whereAngler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1]. On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host whereAngler EK sent CryptoWall 3.0 as the malware payload.

I usually seeAngler EK send different types of ransomware [2, 3], and I however, this is the first time I” />
Shown above: CryptWall 3.0 decrypt instructions from the 2015-05-27 sample

Traffic from the infected host

CryptoWall 3.0 traffic has changed a bit from my first diaryabout it on 2015-01-19 [4]. ” />
Shown above: Angler EK and CryptWall 3.0 traffic as seen in Wireshark

Associated domains:

CyberSafe-WP-Admin