2014-02-26 - ANGLER EK DELIVERS GRAFTOR/ZBOT VARIANT

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-02-26-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-02-26-Angler-EK-malware.zip

NOTES:

This is a good summary of Angler EK using a Silverlight exploit as early as Nov 2013:

• http://www.pcworld.com/article/2063841/cybercriminals-target-silverlight-users-with-new-exploit-kit.html

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 206.188.192.114 - kaplanbenefits.com - Used by malicious link from phishing email.
• 31.170.161.196 - www.hereti.vacau.com - First redirect (unsuccessful)
• 62.149.130.229 - www.deacomunicazione.it - Second redirect (successful)
• 23.239.12.68 - northerningredients.com - Angler EK domain

INFECTION CHAIN OF EVENTS

• 02:56:38 UTC - 192.168.204.175:49380 - 206.188.192.114:80 - kaplanbenefits.com - GET /balanced/index.html
• 02:56:39 UTC - 192.168.204.175:49382 - 31.170.161.196:80 - www.hereti.vacau.com - GET /ruder/pinpoints.js
• 02:56:39 UTC - 192.168.204.175:49381 - 62.149.130.229:80 - www.deacomunicazione.it - GET /distincter/retorted.js
• 02:56:39 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /own0woz7z3
• 02:56:40 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt
• 02:56:43 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6
• 02:56:45 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /favicon.ico
• 02:56:51 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

POST-INFECTION CALLBACK TRAFFIC

• 02:58:06 UTC - 192.168.204.175:49391 - 173.194.77.104:80 - www.google.com - GET /
• UDP traffic from 192.168.204.175 (the infected host) to several dozen IP addresses on various ports

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name:  2014-02-26-Angler-EK-silverlight-exploit.xap
File size:  53.0 KB ( 54292 bytes )
MD5 hash:  54437862cb93c253e97f7b653917384e
Detection ratio:  0 / 50
First submission:  2014-02-25 01:01:06 UTC
VirusTotal link: https://www.virustotal.com/en/file/9cd9503a50bc010aa247e2e6409e413d90a9a50fdd6ecd1f795f15e5b5951cce/analysis/

 

MALWARE PAYLOAD

File name:  fegyko.exe
File size:  331.0 KB ( 338944 bytes )
MD5 hash:  0e1baf2546a3cd0544e333715d95ab3d
Detection ratio:  14 / 50
First submission:  2014-02-26 03:50:33 UTC
VirusTotal link: https://www.virustotal.com/en/file/72fc35a8f1b3f5a279e5d2843da304bd670f2885adbac5444110a935c01b62e6/analysis/
Malwr link: https://malwr.com/analysis/YTFhNWVlNDg3YmMxNGNlNGIyNGNhYjYyMWViOWY0Nzk/

This is the malware payload after it copied itself to a folder
named Xeoram in the AppData\Roaming\ directory.

 

SNORT EVENTS

SNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)

• 2014-02-26 02:56:39 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler Landing Page Feb 24 2014
• 2014-02-26 02:56:40 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET SHELLCODE Possible Encoded %90 NOP SLED
• 2014-02-26 02:56:43 UTC - 23.239.12.68:80 -> 192.168.204.175:49387 - ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013
• 2014-02-26 02:56:52 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

 

HIGHLIGHTS FROM THE TRAFFIC

The infected web page - kaplanbenefits.com/balanced/index.html

 

Successful redirect - www.deacomunicazione.it/distincter/retorted.js

 

Angler EK delivers Silverlight exploit - northerningredients.com/cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt

 

Angler EK delivers EXE payload, XOR-ed the the ASCII string: adb234nh
    northerningredients.com/KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6

 

Angler EK delivers the same EXE payload again, XOR-ed the the ASCII string: aldonjfg
    northerningredients.com/EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

NOTE: When I tried XOR-ing both versions of the file from the PCAP, they both had the same MD5 hash, but it was different than the hash for a file named fegkyo.exe in the AppData\Roaming\Xeoram folder.  Fegkyo.exe is the exact same size as the files from the PCAP, and it's presumably a copy of the properly deobfuscated malware payload.  When I sent the deobfucated files I extracted from the PCAP to Virus Total and Malwr, they were marked as corrupt.

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-02-26-Angler-EK-traffic.pcap.zip
• ZIP file of the malware:  2014-02-26-Angler-EK-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.