2014-02-27 - ANGLER EK - ANOTHER EXAMPLE

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-02-26-Angler-EK-traffic-02.pcap.zip
• ZIP file of the malware:  2014-02-26-Angler-EK-malware-02.zip

NOTES:

This is a follow-up to my previous post on the Angler EK.  Within 24 hours, I discovered a phishing email with a different Angler EK link.

A quick check on URLquery.net shows similar links.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS

• 23.91.114.130 - fadelacenter.org - Domain in malicious link from phishing email
• 31.222.178.84 - phisoomythyxiboow.ru - Angler EK domain using TCP port 8080

INFECTION CHAIN OF EVENTS

• 2014-02-26 13:23:05 UTC - 192.168.14.132:49207 - 23.91.114.130:80 - GET /wp-content/plugins/plugin/rebate.processing.html
• 2014-02-26 13:23:06 UTC - 192.168.14.132:49210 - 31.222.178.84:8080 - GET /nf21cea1mg
• 2014-02-26 13:23:07 UTC - 192.168.14.132:49209 - 31.222.178.84:8080 - GET /RdNfKfdXln2nO6XYEUqTw7kDKws6Al1QEfdOQujBANbN9iON
• 2014-02-26 13:23:11 UTC - 192.168.14.132:49209 - 31.222.178.84:8080 - GET /cJ6-hm1d9tIzeTUUGzhrQ9hV6j4nXeAMvXR-YkGo--2z7bEw

 

PRELIMINARY MALWARE ANALYSIS

MALWARE PAYLOAD

File name:  embio.exe
File size:  635.0 KB ( 650240 bytes )
MD5 hash:  1e5514e4e3b7ca146d0790180a8808e1
Detection ratio:  6 / 48
First submission:  2014-02-26 11:07:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/959cbe1de0425f0c14e6def31c204939787bf09de9e8a90db4637d59e9497c18/analysis/
Malwr link: https://malwr.com/analysis/OTFhNGY5YWE2ZDRiNDBkNmJkOTY1MDU4Y2YzYWVkYTA/

 

SNORT EVENTS

SNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)

• 2014-02-26 14:23:06 UTC - 31.222.178.84:8080 -> 192.168.14.132:49210 - ET CURRENT_EVENTS Angler Landing Page Feb 24 2014
• 2014-02-26 14:23:07 UTC - 31.222.178.84:8080 -> 192.168.14.132:49210 - ET SHELLCODE Possible Encoded %90 NOP SLED
• 2014-02-26 14:23:12 UTC - 31.222.178.84:8080 -> 192.168.14.132:49209 - ET CURRENT_EVENTS Angler EK encrypted binary (4)

 

HIGHLIGHTS FROM THE TRAFFIC

Link from the phishing email - fadelacenter.org/wp-content/plugins/plugin/rebate.processing.html

 

Angler EK delivers EXE payload - phisoomythyxiboow.ru:8080/cJ6-hm1d9tIzeTUUGzhrQ9hV6j4nXeAMvXR-YkGo--2z7bEw6

 

NOTES: The binary is XOR-ed the the ASCII string: laspfnfd (all lower-case).  When I extracted the file from the PCAP and used a Python script to XOR it back, there was a 1 byte difference as seen below:

I don't know if there was some sort of corruption in the PCAP, but a similar thing happened in the Angler EK malware payloads in my previous post, except there was significantly more than a 1 byte difference between the files.

I couldn't figure out the specific exploit used by the Angler EK during this traffic--it wasn't the normal Java, Silverlight, or MSIE exploits I've run into lately.

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-02-26-Angler-EK-traffic-02.pcap.zip
• ZIP file of the malware:  2014-02-26-Angler-EK-malware-02.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.