2014-02-27 - ANGLER EK - ANOTHER EXAMPLE

ASSOCIATED FILES:

NOTES:

This is a follow-up to my previous post on the Angler EK.  Within 24 hours, I discovered a phishing email with a different Angler EK link.

A quick check on URLquery.net shows similar links.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN OF EVENTS

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD

File name:  embio.exe
File size:  635.0 KB ( 650240 bytes )
MD5 hash:  1e5514e4e3b7ca146d0790180a8808e1
Detection ratio:  6 / 48
First submission:  2014-02-26 11:07:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/959cbe1de0425f0c14e6def31c204939787bf09de9e8a90db4637d59e9497c18/analysis/
Malwr link: https://malwr.com/analysis/OTFhNGY5YWE2ZDRiNDBkNmJkOTY1MDU4Y2YzYWVkYTA/

 

SNORT EVENTS

SNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)

 

HIGHLIGHTS FROM THE TRAFFIC

Link from the phishing email - fadelacenter.org/wp-content/plugins/plugin/rebate.processing.html



 

Angler EK delivers EXE payload - phisoomythyxiboow.ru:8080/cJ6-hm1d9tIzeTUUGzhrQ9hV6j4nXeAMvXR-YkGo--2z7bEw6

 

NOTES: The binary is XOR-ed the the ASCII string: laspfnfd (all lower-case).  When I extracted the file from the PCAP and used a Python script to XOR it back, there was a 1 byte difference as seen below:

I don't know if there was some sort of corruption in the PCAP, but a similar thing happened in the Angler EK malware payloads in my previous post, except there was significantly more than a 1 byte difference between the files.

I couldn't figure out the specific exploit used by the Angler EK during this traffic--it wasn't the normal Java, Silverlight, or MSIE exploits I've run into lately.

 

FINAL NOTES

Once again, here are links for the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.