2014-11-11 - ANGLER EK USES DIFFERENT OBFUSCATION FOR THE MALWARE PAYLOAD

PCAP AND MALWARE:

 

NOTES:

Today, I reviewed a 2014-11-10 Threatglass entry on wira-ku.com.  It has some Angler EK traffic with different obfuscation for the malware payload than I've previously seen.

In August, kafeine posted about "fileless" infection by Angler EK at: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html).  In that article, he shows the following ASCII strings used for XOR obfuscation by Angler EK for the malware payload:

Until today, I could use those strings to deobfuscate the payload.  None of them appear to work with today's Angler EK traffic.

The 2014-11-10 Threatglass pcap shows a different obfuscation used in Angler EK.  It doesn't look like the ASCII strings previously used to XOR the payload.  I don't know if this is a non-ASCII string, or if it's another layer of obfuscation.  To get a better idea, please review the pcap or look at the screenshot section below.

Another change?  The Flash exploit in the pcap, sent after the malware, is about 40 KB.  For at least the past 3 months or so, Angler EK Flash exploits have been around 80 KB.  Today's Flash exploit is about half that size.

When I used tcpreplay on the Threatglass pcap, the post-infection traffic triggered EmergingThreats signatures for Poweliks malware.

 

CHAIN OF EVENTS

ORIGINAL WEBSITE AND AD TRAFFIC:

 

COMPROMISED AD PAGE:

 

REDIRECT/GATE POINTING TO ANGLER EK:

 

ANGLER EK:

 

POST-INFECTION HTTP TRAFFIC:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-11-11-Angler-EK-flash-exploit.swf
File size:  39.7 KB ( 40633 bytes )
MD5 hash:  a3367fd873f47576802f6cd7753343b6
Detection ratio:  1 / 53
First submission:  2014-11-10 20:05:00 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6da9ee383fcd77bd01e18073eda6d9e044de5ae72b6c30a087479ff7bcf27d2f/analysis/

 

ENCRYPTED PAYLOAD FROM THE PCAP:

File name:  2014-11-11-Angler-EK-encrypted-payload
File size:  520.5 KB ( 532992 bytes )
MD5 hash:  2c832ca97735969b38bea48a355a9eab

 

SNORT EVENTS

Using tcpreplay to generate Emerging Threats and ETPRO events in Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Reading the pcap in Snort to generate Sourcefire VRT events from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS FROM THE TRAFFIC

The obfuscated payload sent by Angler EK:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.