2014-02-26 - ANGLER EK DELIVERS GRAFTOR/ZBOT VARIANT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-02-26-Angler-EK-traffic.pcap.zip
• 2014-02-26-Angler-EK-malware.zip

NOTES:

This is a good summary of Angler EK using a Silverlight exploit as early as Nov 2013:

• https://www.pcworld.com/article/448670/cybercriminals-target-silverlight-users-with-new-exploit-kit.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 206.188.192[.]114 - kaplanbenefits[.]com - Used by malicious link from phishing email.
• 31.170.161[.]196 - www.hereti.vacau[.]com - First redirect (unsuccessful)
• 62.149.130[.]229 - www.deacomunicazione[.]it - Second redirect (successful)
• 23.239.12[.]68 - northerningredients[.]com - Angler EK domain

INFECTION CHAIN OF EVENTS

• 02:56:38 UTC - 206.188.192[.]114:80 - kaplanbenefits[.]com - GET /balanced/index.html
• 02:56:39 UTC - 31.170.161[.]196:80 - www.hereti.vacau[.]com - GET /ruder/pinpoints.js
• 02:56:39 UTC - 62.149.130[.]229:80 - www.deacomunicazione[.]it - GET /distincter/retorted.js
• 02:56:39 UTC - 23.239.12[.]68:80 - northerningredients[.]com - GET /own0woz7z3
• 02:56:40 UTC - 23.239.12[.]68:80 - northerningredients[.]com - GET /cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt
• 02:56:43 UTC - 23.239.12[.]68:80 - northerningredients[.]com - GET /KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6
• 02:56:45 UTC - 23.239.12[.]68:80 - northerningredients[.]com - GET /favicon.ico
• 02:56:51 UTC - 23.239.12[.]68:80 - northerningredients[.]com - GET /EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

POST-INFECTION CALLBACK TRAFFIC

• 02:58:06 UTC - 173.194.77.104:80 - www.google.com - GET /
• UDP traffic from 192.168.204.175 (the infected host) to several dozen IP addresses on various ports

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-02-26-Angler-EK-silverlight-exploit.xap
File size:  54,292 bytes
MD5 hash:  54437862cb93c253e97f7b653917384e
Detection ratio:  0 / 50
First submission:  2014-02-25 01:01:06 UTC
VirusTotal link: https://www.virustotal.com/en/file/9cd9503a50bc010aa247e2e6409e413d90a9a50fdd6ecd1f795f15e5b5951cce/analysis/

 

MALWARE PAYLOAD

File name:  fegyko.exe
File size:  338,944 bytes
MD5 hash:  0e1baf2546a3cd0544e333715d95ab3d
Detection ratio:  14 / 50
First submission:  2014-02-26 03:50:33 UTC
VirusTotal link: https://www.virustotal.com/en/file/72fc35a8f1b3f5a279e5d2843da304bd670f2885adbac5444110a935c01b62e6/analysis/

This is the malware payload after it copied itself to a folder
named Xeoram in the AppData\Roaming\ directory.

 

ALERTS

ALERTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)

• 2014-02-26 02:56:39 UTC - 23.239.12[.]68:80 - ET CURRENT_EVENTS Angler Landing Page Feb 24 2014
• 2014-02-26 02:56:40 UTC - 23.239.12[.]68:80 - ET SHELLCODE Possible Encoded %90 NOP SLED
• 2014-02-26 02:56:43 UTC - 23.239.12[.]68:80 - ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013
• 2014-02-26 02:56:52 UTC - 23.239.12[.]68:80 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

 

HIGHLIGHTS FROM THE TRAFFIC

The infected web page - kaplanbenefits[.]com/balanced/index.html

 

Successful redirect - www.deacomunicazione[.]it/distincter/retorted.js

 

Angler EK delivers Silverlight exploit - northerningredients[.]com/cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt

 

Angler EK delivers EXE payload, XOR-ed the the ASCII string: adb234nh
    northerningredients[.]com/KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6

 

Angler EK delivers the same EXE payload again, XOR-ed the the ASCII string: aldonjfg
    northerningredients[.]com/EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

 

Click here to return to the main page.