Angler exploit kit pushing CryptoWall 3.0, (Thu, May 28th)


In the past two days, Ive infected two hosts from Angler exploit kit (EK) domains at Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host whereAngler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1]. On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host whereAngler EK sent CryptoWall 3.0 as the malware payload.

I usually seeAngler EK send different types of ransomware [2, 3], and I however, this is the first time I” />
Shown above: CryptWall 3.0 decrypt instructions from the 2015-05-27 sample

Traffic from the infected host

CryptoWall 3.0 traffic has changed a bit from my first diaryabout it on 2015-01-19 [4]. ” />
Shown above: Angler EK and CryptWall 3.0 traffic as seen in Wireshark

Associated domains: