2014-11-02 - ANGLER EK FROM 5.196.176.167 - FAENGELSHAZIER.NETGOUV.COM

ASSOCIATED FILES:

 

NOTES:

I found today's compromised website by searching through the reports section of scumware.org.  This one was listed in the .eu domains:

 

Like today, previous malware payloads from Angler EK will check www.earthtools.org and www.ecb.europa.eu for timezone and other information before connecting to DGA-style domains over port 443.  Here's a list of Angler EK with similar malware payloads:

 

As usual, these Angler EK infections are now "fileless," and none of the exploit kit files are saved to disk (except the Java exploit).  For more info on these fileless infections, see:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

ANGLER EK:

 

MALWARE PAYLOAD WAS SENT THREE TIMES.  EACH TIME, IT CHECKED FOR CONNECTIVITY:

 

DNS QUERIES FROM THE INFECTED VM (RESPONSE WAS "NO SUCH NAME"):

 

ONE OF THE DOMAINS RESOLVED TO AN IP ADDRESS, AND THE HOST GENERATED ENCRYPTED CALLBACK TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-02-Angler-EK-flash-exploit.swf
File size:  85.3 KB ( 87354 bytes )
MD5 hash:  30db56b29ec0288e5dc705f251a61ff0
Detection ratio:  1 / 54
First submission:  2014-11-01 08:38:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4e22ca4ccc0dfed2cb9cd136ecd69d364a5ce8e1db991732d965043a6917ee66/analysis/

 

JAVA EXPLOIT

File name:  2014-11-02-Angler-EK-Java-exploit.jar
File size:  28.1 KB ( 28769 bytes )
MD5 hash:  ed39baded73b3b363d37b6715eba5e47
Detection ratio:  17 / 53
First submission:  2014-10-22 20:11:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-02-Angler-EK-malware-payload.dll
File size:  185.5 KB ( 189952 bytes )
MD5 hash:  11837229f834d296342b205433e9bc48
Detection ratio:  2 / 53
First submission:  2014-11-02 22:34:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef0503a22a0a359bcb82ff2ef57907a0b2cabf3a145b661d053d42fba712a073/analysis/
Malwr.com link:  https://malwr.com/analysis/MTUyZDU2MzNmYjMxNDI2Yzk5MTAxZjhjNDMxMjAxYjA/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script causes an iframe to be loaded on the compromised website--you can see the resulting iframe in the browser:

 

As usual, the Angler EK malware payload is obfuscated:

 

Deobfuscate the payload, and you can see where the shellcode ends and the malicious binary begins:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.