Angler EK Pushing TeslaCrypt

In recent weeks, we have witnessed a very large up rise in TeslaCrypt infection attempts. TeslaCrypt is a relatively new ransomware, first reported in the beginning of 2015.

Although it is not the most sophisticated malware, it is continuously maintained and updated by its authors, and still manages to spread through various infection vectors.

In the previous week, there has been a nine-fold increase in infections, as reported by Symantec. Most of the infections in this current campaign are delivered by spam.


On December 16th, Check Point researchers identified a large increase in TeslaCrypt infection attempts via Angler Exploit Kit.

Angler Exploit Kit (EK) is a web-based exploitation tool, used by cyber criminals to infect machines with malware through malicious links and redirects. In its attempts to spread malware, it tries to exploit vulnerabilities in common software like Internet Explorer and Adobe Flash. Angler is by far the most widespread, and probably the most advanced, Exploit Kit in the wild today.

We believe that the recent Angler activity is part of the same TeslaCrypt campaign that started with spam, and will be followed by more exploit kits serving this ransomware.

Following is a short technical report which describes the behavior and flow of these attacks.

We have seen two distinct infection chains with an interesting relationship.


First infection chain:


Pre infection: ( -> Compromised Site ( -> A gate hosted on another compromised site ( -> Angler EK Domain


Post infection: ( -> IP check ( -> TeslaCrypt C2




The numbered packets in the above flow can be interpreted as follows:

  1. Initial compromised site.
  2. A gate hosted on another compromised site.
  3. Angler landing page.
  4. Encrypted binary.
  5. Post infection traffic.


The initial redirection simply requests a script from the gate.


This returns a script that dynamically adds an iframe to the page leading to the Angler landing page.


Next, an encrypted binary is downloaded.

Sample MD5 after decryption: 02ACDE827FF66AA81B5F3E4EB8D9B072

We noticed that the gate was also a compromised site, and wondered what would happen if we browsed to its main page.

We saw an almost identical infection chain that leads to a TeslaCrypt infection.


Second infection chain:


Pre Infection: ( -> initial Compromised Domain ( -> a gate hosted on another Compromised site ( -> Angler Domain


Post infection: ( -> IP check ( -> TeslaCrypt C2



Infection flow:



  1. Initial Compromised site; this site has multiple requests for the gate script (shown in the next image)
  2. Two redirects to the same gate, usually only one request would actually get a response with the iframe, but we see two were answered.
  3. A third request was answered with a response containing only ‘\n’ character
  4. Angler EK Landing Page
  5. Encrypted Binary
  6. Post infection traffic


Note that the gate will (usually) redirect any IP address only once.

If a Second request is sent from the same IP address it will send an empty response.



The initial redirection to the gate:


Note: There are two redirections in the image, with the second one at the bottom of the page

The script received from the gate:


Once again, the malware downloads as an encrypted binary, and after decryption it has the exact same MD5 as the first sample.

As there were two responses from the gate in this particular instance, two redirections were made to the Angler landing page. As Angler EK also serves only once per IP address, the second request came back empty.



Check Point Threat Prevention blades provide protection against all stages of the infection chain.

Please note that TeslaCrypt stores its encryption keys in the registry until it can send them to its C2 servers. Thus, even if you were infected, Check Point Anti-bot Blade blocks the ransomware from connecting to its servers, making sure to keep the decryption key intact on your local registry. With former TeslaCrypt versions, files could be decrypted using a tool developed by Cisco researchers, which will hopefully be adapted to the newest version as well.


The image above shows where the key is located in the registry.




Virus total link for the sample:


Full traffic break down for first chain:


Pre infection:   ( ( (


Post infection: (







4DB53F6203DE3CFD753F00323C (








Full traffic break down for second chain:


Pre infection: ( ( (


Post infection: (







C56EC18874B9D4C9341192D5BC2F34063FEF4C8348BA257 (