Network traffic analysis
The first Angler EK alerts came from the website neuhaus-hourakus.avelinoortiz[.]com
The order of the visits for that specific domain were:
If we dig a little bit deeper into the connections which were made before the Google redirection, we can see that the user was interested in guns. He did two searches in Google:
which redirects to http://www.cabelas.com/category/Shotguns/105537780.uts which seems not to be infected.
which loads the EK landing page: neuhaus-hourakus.avelinoortiz[.]com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29
Even the computer started requesting domain names that didn't get resolved...
Those domains could have been tried to be created by some domain generation algorithm (DGA). This could be a indicator that this computer had started to belong to a Botnet.
- The user was doing Google searches related to guns.
- After visiting some guns shops, he ended up in that web site: www.shotgunworld[.]com
- It seems the EK was successfull and the computer began to be part of a botnet.