2014-05-07 - 32X32 CHARACTER GATES AND ANGLER EK

ASSOCIATED FILES:

• ZIP of the PCAP:  2014-05-07-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-07-Angler-EK-malware.zip
• ZIP with PCAP of sandbox analysis of the malware:  2014-05-07-sandbox-analysis-of-Angler-EK-malware-payload.pcap.zip

NOTES:

• This month, I've seen a couple of interesting HTTP POST requests for redirect traffic to Angler EK.
• The signature for this is:  ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid: 2018442)
• If a compromised website decides your IP and user-agent is acceptable, you'll see a pop-up window warning about the site using cookies.
• If you see this pop-up, you'll be redirected to an exploit kit behind the scenes, no matter which button you click.
• So far, I've only seen Angler EK after encountering this 32x32 gate...  Here's a screen shot of the pop-up:

 

CHAIN OF EVENTS

COMPROMISED WEBSITE AND 32X32 CHARACTER REDIRECT:

• 22:20:11 UTC - 23.253.128.124 - www.renegadedietbook.com - GET /
• 22:20:18 UTC - 209.59.163.234 - www.criminalduiattorneyboulder.com - POST /75688fe9702ff3913d01151168e76c2b.php?q=c4250488f251184262da328cd04e2edc

ANGLER EK:

• 22:20:19 UTC - 184.82.38.51 - dk2w.lanapyxefyfppw.com - GET /yd3h90iaai
• 22:20:22 UTC - 184.82.38.51 - dk2w.lanapyxefyfppw.com - GET /WR9iKsSVmSDUCjAYNOR6V6af91nzt8KY0ri4nj-KLa7aQVqxrtFOaJ4AGU436JMkYLLgFH5ycCo=
• 22:20:22 UTC - 184.82.38.51 - dk2w.lanapyxefyfppw.com - GET /vTgkKsstAhMLT-Zc8zvYS-7JFV44DTyMRxbAnX7VK7tY7dDCMILmnjkSt7s83zowpN28Nccm390=
• 22:20:25 UTC - 184.82.38.51 - dk2w.lanapyxefyfppw.com - GET /f2ccjO10zRmTmyVdjDsJgbAHilo3Aijx6sNlivCizoZIxXV_YhVCbKWHKElzmECziVIpunX6t0E=

TRAFFIC FROM SANDBOX ANALYSIS OF THE EXE PAYLOAD:

• 131.253.13.140 - www.msn.com - GET /
• 192.150.16.64 - www.adobe.com - POST /
• 93.174.73.204 - forum.farmanager.com - POST /
• 157.56.109.8 - ui.skype.com - POST /ui/0/6.14.0.104/en/help
• 93.174.73.204 - farmanager.com - POST /
• 50.112.255.196 - www.opera.com - POST /support
• 64.4.11.25 - go.microsoft.com - POST /fwlink/?LinkId=133405
• 93.174.73.204 - forum.farmanager.com - POST /
• 46.4.202.136 - mailprom.in - POST /main/
• 93.174.73.204 - farmanager.com - POST /
• 192.150.16.64 - www.adobe.com - POST /support/main.html
• 192.150.16.64 - www.adobe.com - POST /go/flashplayer_support/
• 46.4.202.136 - mailprom.in - POST /main/
• 46.4.202.136 - mailprom.in - POST /main/
• 46.4.202.136 - mailprom.in - POST /main/

 

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT (CREATED/MODIFIED 2014-05-06)

File name:  2014-05-07-Angler-EK-silverlight-exploit.xap
File size:  51.8 KB ( 53056 bytes )
MD5 hash:  861f46df5b24bbc2c7369c8aaa666aeb
Detection ratio:  0 / 52
First submission:  2014-05-07 20:57:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/95cc56245e7ba5c4ed803060c71b2bc8e48dee54de56ed7f43a069a345a9cbcd/analysis/

 

FLASH EXPLOIT

File name:  2014-05-07-Angler-EK-flash-exploit.swf
File size:  41.5 KB ( 42513 bytes )
MD5 hash:  e9f0b5be4e7125f0256085fe0415ee85
Detection ratio:  2 / 52
First submission:  2014-05-08 01:16:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3d81cb8c0d8cd1c888ed425ec6bf4be7a0fc8057c97092af374630e1579458b3/analysis/

File name:  2014-05-07-Angler-EK-flash-exploit-uncompressed.swf
File size:  70.2 KB ( 71888 bytes )
MD5 hash:  beb148c4f812c2880d6afb025c410994
Detection ratio:  2 / 52
First submission:  2014-05-08 01:17:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/86d69288a18ebf2b1a04f0fb1ab404768fabc1935ab7792e163432fb35d351a6/analysis/

 

MALWARE PAYLOAD (SAVED AS A DLL IN THE USER'S APPDATA\LOCAL\TEMP FOLDER)

File name:  2014-05-07-Angler-EK-malware-pyaload.exe
File size:  62.9 KB ( 64360 bytes )
MD5 hash:  1e502579936d80f217bf77ee765924a3
Detection ratio:  6 / 52
First submission:  2014-05-08 01:10:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/06a428dd5a543e67f25b02ccd7efa77d8f2cd7fe67bbfe2184d2023b16aa152c/analysis/

 

SNORT EVENTS

SNORT EVENTS FOR THE INFECTION TRAFFIC (from Sguil on Security Onion)

• 2014-05-07 22:20:18 UTC - 172.16.223.134:49583 - 209.59.163.234:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST
• 2014-05-07 22:20:21 UTC - 184.82.38.51:80 -> 172.16.223.134:49584 - ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1
• 2014-05-07 22:20:21 UTC - 172.16.223.134:49584 - 184.82.38.51:80 - ET POLICY Outdated Windows Flash Version IE
• 2014-05-07 22:20:25 UTC - 184.82.38.51:80 - 172.16.223.134:49585 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

 

SCREENSHOTS FROM THE TRAFFIC

If you come upon the site, and it's suspicious of (for whatever reason), it will not include the malicious code:

 

Here's what the malicious script looked like for my pop-up window/redirect:

 

Here's what it looked like in the browser:

 

The redirect traffic after clicking one of the buttons:

 

In this case, Angler EK first delivered the Flash exploit:

 

Then it delivered the Silverlight exploit:

 

In the same TCP stream as the Silverlight exploit, we see the malware payload.  It was stored in the

 

FINAL NOTES

Once again, here are links for the associated files:

• ZIP of the PCAP:  2014-05-07-Angler-EK-traffic.pcap.zip
• ZIP of the malware:  2014-05-07-Angler-EK-malware.zip
• ZIP with PCAP of sandbox analysis of the malware:  2014-05-07-sandbox-analysis-of-Angler-EK-malware-payload.pcap.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.