2014-11-02 - ANGLER EK FROM 5.196.176[.]167 - FAENGELSHAZIER.NETGOUV[.]COM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-11-02-Angler-EK-traffic.pcap.zip  1.0 MB (1,006,772 bytes)
• 2014-11-02-Angler-EK-malware.zip  225.9 kB (225,911 bytes)

 

NOTES:

I found today's compromised website by searching through the reports section of scumware.org.  This one was listed in the .eu domains:

 

Like today, previous malware payloads from Angler EK will check www.earthtools[.]org and www.ecb.europa[.]eu for timezone and other information before connecting to DGA-style domains over port 443.  Here's a list of Angler EK with similar malware payloads:

• 2014-10-30 Angler EK from 208.76.52[.]55 - qwe.leucaenaleucocephalaporno[.]net
• 2014-10-06 Angler EK from 5.135.230[.]183 - 7dws8yz0k2.sdiouvb[.]com
• 2014-10-01 Angler EK from 66.172.27[.]117 - asd.crossheading[.]us
• 2014-09-27 Angler EK from 66.172.12[.]231 - asd.branchiopodamericangentian[.]us
• 2014-09-26 Angler EK from 162.248.243[.]78 - qwe.tributarykamarupan[.]us
• 2014-09-09 Angler EK from 46.105.140[.]56 - tsevid-synonymi.justdanceatsea[.]com:8080

 

As usual, these Angler EK infections are now "fileless," and none of the exploit kit files are saved to disk (except the Java exploit).  For more info on these fileless infections, see:

• https://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 62.149.142[.]235 - www.cidec[.]eu - Compromised website
• 62.149.140[.]189 - www.fuerzayemocion[.]com - Redirect
• 5.196.176[.]167 - faengelshazier.netgouv[.]com - Angler EK
• 69.64.90[.]119 - kvnegrpznjgggdl1b[.]com - Post-infection encrypted callback over port 443

 

COMPROMISED WEBSITE AND REDIRECT:

• 2014-11-02 21:50:28 UTC - www.cidec[.]eu - GET /
• 2014-11-02 21:50:29 UTC - www.fuerzayemocion[.]com - GET /xnlrch3f.php?id=13767304

 

ANGLER EK:

• 2014-11-02 21:50:33 UTC - faengelshazier.netgouv[.]com - GET /xzig40ddv1.php
• 2014-11-02 21:50:38 UTC - faengelshazier.netgouv[.]com - GET /-LMwJkrsQLwi574_5My8vfwrQ8-HlVV1NaTvy3Xn_12-pLGsPnBNqXFDWKnSOHrF
• 2014-11-02 21:50:42 UTC - faengelshazier.netgouv[.]com - GET /asmta19aaTz7BnaYftbQXqrF5_vHxnhUwAq-i3Plpsf4LAEvdpmeh62r-Tni6mZC
• 2014-11-02 21:50:46 UTC - faengelshazier.netgouv[.]com - GET /fst0kiFJBonVmv41hNbhdmhALsOb5Lym09nhoxUP28g012U1zbJrQB-nP7sDyEfy
• 2014-11-02 21:50:57 UTC - faengelshazier.netgouv[.]com - GET /Q_aoQnHNC4PY4-YUq3qW5V9IvheoiyVR_Fq4737bHb5lVgPN-4FOGqMQ2obM3DTK
• 2014-11-02 21:50:59 UTC - faengelshazier.netgouv[.]com - GET /2KYWHq_Gd3moghAsXWlm-t5xPv6DgU2XmDKzx6i64BbEu1F9HuYdxoou8vn8xNva

 

MALWARE PAYLOAD WAS SENT THREE TIMES.  EACH TIME, IT CHECKED FOR CONNECTIVITY:

• 2014-11-02 21:50:41 UTC - 208.113.226[.]171:80 - www.earthtools[.]org - POST /timezone/0/0
• 2014-11-02 21:50:42 UTC - 23.34.200[.]11:80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2014-11-02 21:51:32 UTC - 208.113.226[.]171:80 - www.earthtools[.]org - POST /timezone/0/0
• 2014-11-02 21:51:32 UTC - 23.34.200[.]11:80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml
• 2014-11-02 21:51:42 UTC - 208.113.226[.]171:80 - www.earthtools[.]org - POST /timezone/0/0
• 2014-11-02 21:51:43 UTC - 23.34.200[.]11:80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

 

DNS QUERIES FROM THE INFECTED VM (RESPONSE WAS "NO SUCH NAME"):

• 2014-11-02 21:50:43 UTC - vqtdwuskgxvos[.]com
• 2014-11-02 21:50:43 UTC - bxylcvliashqizud6[.]com
• 2014-11-02 21:50:44 UTC - qifxehvvcfgaohfpf[.]com
• 2014-11-02 21:50:44 UTC - qzblwayccpwxtu[.]com
• 2014-11-02 21:50:44 UTC - smfzapkwvekomeh5[.]com
• 2014-11-02 21:50:44 UTC - yfxbfjwngyrol6c[.]com
• 2014-11-02 21:50:44 UTC - jmzcwofaldpojzw1a[.]com
• 2014-11-02 21:50:44 UTC - cscwcwffgsfnrstvqz[.]com
• 2014-11-02 21:50:45 UTC - nzlpktpwhdvjla[.]com
• 2014-11-02 21:50:45 UTC - spxvikummnemkekcc3[.]com
• 2014-11-02 21:50:46 UTC - ckeorvbltdjjaoqt2i[.]com
• 2014-11-02 21:50:46 UTC - cdjkjmytglciivq[.]com
• 2014-11-02 21:50:47 UTC - xfnzqyzhbgcqhhddxy[.]com
• 2014-11-02 21:50:47 UTC - rrpnxdwjpvbiauk[.]com
• 2014-11-02 21:50:47 UTC - nywkmnqzuhrk8j[.]com
• 2014-11-02 21:50:47 UTC - airamyhhukevkqo1c[.]com
• 2014-11-02 21:50:48 UTC - ijxyqgzrbthv0m[.]com
• 2014-11-02 21:50:48 UTC - pfgijizplnsggisuw[.]com
• 2014-11-02 21:50:48 UTC - mcrfqywcuqqxyy[.]com
• 2014-11-02 21:51:33 UTC - cscwcwffgsfnrstvqz[.]com
• 2014-11-02 21:51:33 UTC - ckeorvbltdjjaoqt2i[.]com
• 2014-11-02 21:51:33 UTC - rrpnxdwjpvbiauk[.]com
• 2014-11-02 21:51:33 UTC - ijxyqgzrbthv0m[.]com
• 2014-11-02 21:51:44 UTC - qzblwayccpwxtu[.]com
• 2014-11-02 21:51:44 UTC - smfzapkwvekomeh5[.]com
• 2014-11-02 21:51:44 UTC - yfxbfjwngyrol6c[.]com
• 2014-11-02 21:51:44 UTC - jmzcwofaldpojzw1a[.]com
• 2014-11-02 21:51:44 UTC - cscwcwffgsfnrstvqz[.]com
• 2014-11-02 21:51:45 UTC - nzlpktpwhdvjla[.]com
• 2014-11-02 21:51:45 UTC - spxvikummnemkekcc3[.]com
• 2014-11-02 21:51:45 UTC - ckeorvbltdjjaoqt2i[.]com
• 2014-11-02 21:51:45 UTC - cdjkjmytglciivq[.]com
• 2014-11-02 21:51:46 UTC - xfnzqyzhbgcqhhddxy[.]com
• 2014-11-02 21:51:46 UTC - rrpnxdwjpvbiauk[.]com
• 2014-11-02 21:51:46 UTC - nywkmnqzuhrk8j[.]com
• 2014-11-02 21:51:46 UTC - airamyhhukevkqo1c[.]com
• 2014-11-02 21:51:46 UTC - ijxyqgzrbthv0m[.]com
• 2014-11-02 21:51:46 UTC - pfgijizplnsggisuw[.]com
• 2014-11-02 21:51:46 UTC - mcrfqywcuqqxyy[.]com

 

ONE OF THE DOMAINS RESOLVED TO AN IP ADDRESS, AND THE HOST GENERATED ENCRYPTED CALLBACK TRAFFIC:

• 2014-11-02 21:50:50 UTC - 69.64.90[.]119:443 - HTTPS traffic to: kvnegrpznjgggdl1b[.]com
• 2014-11-02 21:51:47 UTC - 69.64.90[.]119:443 - HTTPS traffic to: kvnegrpznjgggdl1b[.]com

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-11-02-Angler-EK-flash-exploit.swf
File size:  87,354 bytes
MD5 hash:  30db56b29ec0288e5dc705f251a61ff0
Detection ratio:  1 / 54
First submission:  2014-11-01 08:38:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4e22ca4ccc0dfed2cb9cd136ecd69d364a5ce8e1db991732d965043a6917ee66/analysis/

 

JAVA EXPLOIT

File name:  2014-11-02-Angler-EK-Java-exploit.jar
File size:  28,769 bytes
MD5 hash:  ed39baded73b3b363d37b6715eba5e47
Detection ratio:  17 / 53
First submission:  2014-10-22 20:11:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/

 

MALWARE PAYLOAD

File name:  2014-11-02-Angler-EK-malware-payload.dll
File size:  189,952 bytes
MD5 hash:  11837229f834d296342b205433e9bc48
Detection ratio:  2 / 53
First submission:  2014-11-02 22:34:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef0503a22a0a359bcb82ff2ef57907a0b2cabf3a145b661d053d42fba712a073/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-11-02 21:50:29 UTC - 62.149.142[.]235:80 - ET CURRENT_EVENTS Malicious Redirect 8x8 script tag (sid:2018053)
• 2014-11-02 21:50:34 UTC - 5.196.176[.]167:80 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
• 2014-11-02 21:50:39 UTC - 5.196.176[.]167:80 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-11-02 21:50:42 UTC - 5.196.176[.]167:80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
• 2014-11-02 21:50:47 UTC - 5.196.176[.]167:80 - ET CURRENT_EVENTS Angler Encoded Shellcode Flash (sid:2018956)
• 2014-11-02 21:50:58 UTC - 5.196.176[.]167:80 - ET CURRENT_EVENTS Angler EK Java Exploit URI Struct (sid:2019514)
• 2014-11-02 21:51:00 UTC - 5.196.176[.]167:80 - ET CURRENT_EVENTS Angler Encoded Shellcode Java (sid:2018957)
• 2014-11-02 21:51:34 UTC - [localhost]:53 - ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

• 2014-11-02 21:50:38 UTC - 5.196.176[.]167:80 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-11-02 21:50:42 UTC - 5.196.176[.]167:80 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-11-02 21:50:47 UTC - 5.196.176[.]167:80 - [1:31899:1] EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected (x4)
• 2014-11-02 21:50:59 UTC - 5.196.176[.]167:80 - [1:31901:1] EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected (x3)

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script causes an iframe to be loaded on the compromised website--you can see the resulting iframe in the browser:

 

As usual, the Angler EK malware payload is obfuscated:

 

Deobfuscate the payload, and you can see where the shellcode ends and the malicious binary begins:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

Click here to return to the main page.