2014-10-30 - 32X32 GATE LEADS TO ANGLER EK - NO FAKE POP-UP AS SEEN BEFORE WITH THESE 32X32 GATES

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-10-30-Angler-EK-traffic.pcap.zip
• 2014-10-30-Angler-EK-malware.zip

NOTES:

• Previously, I only saw 32x32 gates with a fake pop-up window, most recently documented on 2014-10-01.
• Today, there was no pop-up window--instead, a Flash file was used in conjunction with the 32x32 gate.
• See the screenshots below for details.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• 122.201.118[.]15:80 - watsonsbayhotel[.]com[.]au - Compromised website
• 212.97.132[.]153 - kj-invest[.]com - provides Flash used with 32x32 gate
• 184.168.204[.]1 - newfamilynutrition[.]com - 32x32 gate
• 208.76.52[.]55 - qwe.leucaenaleucocephalaporno[.]net - Angler EK
• various IP addresses - post-infection traffic - see below

 

COMPROMISED WEBSITE:

• 12:36:55 UTC - 122.201.118[.]15:80 - watsonsbayhotel[.]com[.]au - GET /

 

FLASH FILE AND 32X32 GATE:

• 12:37:08 UTC - 212.97.132[.]153:80 - kj-invest[.]com - GET /2de96bd378d6e6614297e27284fdb335.swf
• 12:37:13 UTC - 184.168.204[.]1:80 - newfamilynutrition[.]com - POST /c9e9975e0f51af3ce1354090fb303d8e.php?q=
  87086c5336208ce7836edca90ecc8d25

 

ANGLER EK:

• 12:37:17 UTC - qwe.leucaenaleucocephalaporno[.]net - GET /7xibe37z48
• 12:37:26 UTC - qwe.leucaenaleucocephalaporno[.]net - GET /4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
• 12:37:37 UTC - qwe.leucaenaleucocephalaporno[.]net - GET /u-mU9vZe-_GNefFwlNYX6lIEN34g8x7Ul41a1MkBxsRG8I2GUvo1GhRV1n9fn9G8
• 12:37:47 UTC - qwe.leucaenaleucocephalaporno[.]net - GET /7iEM_ztBDM2w9vg0xVKdfpJGf5xRNOXc1TxsaPGLFb3RoEBNnOhxQQ34cvEfWZ6W
• 12:37:48 UTC - qwe.leucaenaleucocephalaporno[.]net - GET /543tBS48IOu6n62yq1_fqmDQGmfGyQA5U5PR7fI5msXa_W-t2wohzDpVvuje5MPf
• 12:38:07 UTC - qwe.leucaenaleucocephalaporno[.]net - GET /SNCbVkwM787Yd4m2a6_n0BN3UcBI4N-mBv23JmCnjGIa02cakAh_ETPbWaqdj1Fv

 

POST-INFECTION TRAFFIC:

• 12:37:35 UTC - 208.113.226[.]171:80 - www.earthtools[.]org - POST /timezone/0/0
• 12:37:38 UTC - 23.222.70[.]93:80 - www.ecb.europa[.]eu - POST /stats/eurofxref/eurofxref-hist-90d.xml

• 12:37:51 UTC - [internal server]:53 - DNS query for: exwpyvpsfslxqpklm[.]com (No such name)
• 12:37:57 UTC - [internal server]:53 - DNS query for: dbirbrdyrfhbem7[.]com (No such name)
• 12:37:58 UTC - [internal server]:53 - DNS query for: fjspitysjthgyjut[.]com (No such name)
• 12:38:01 UTC - [internal server]:53 - DNS query for: nafreasaozpckabb2[.]com (No such name)
• 12:38:02 UTC - [internal server]:53 - DNS query for: zeyepwsksqepmxmgt6[.]com (No such name)
• 12:38:02 UTC - [internal server]:53 - DNS query for: xevumdeninsk1[.]com (No such name)
• 12:38:03 UTC - [internal server]:53 - DNS query for: xwrobptfqcdzpxp8[.]com (No such name)
• 12:38:04 UTC - [internal server]:53 - DNS query for: adisgbbajbjokvr[.]com (No such name)
• 12:38:04 UTC - [internal server]:53 - DNS query for: idiexymtmrcxvg[.]com (No such name)
• 12:38:05 UTC - [internal server]:53 - DNS query for: gnrsypvuwbisjzxya[.]com (No such name)
• 12:38:06 UTC - [internal server]:53 - DNS query for: kqvohmvyfjbwsjrcpx[.]com (No such name)
• 12:38:06 UTC - [internal server]:53 - DNS query for: oaeyopqpwmctvstgrv[.]com (No such name)
• 12:38:07 UTC - [internal server]:53 - DNS query for: kahljvupkglp[.]com (resolved to 85.25.211[.]252)
• 12:38:09 UTC - 85.25.211[.]252:443 - HTTPS traffic to kahljvupkglp[.]com
• 12:38:26 UTC - 85.25.211[.]252:443 - HTTPS traffic to kahljvupkglp[.]com

• 12:47:57 UTC - [internal server]:53 - DNS query for: indalusia[.]com (resolved to 134.19.180[.]30)
• 12:47:58 UTC - 134.19.180[.]30:443 - HTTPS traffic to indalusia[.]com
• 12:48:15 UTC - 93.158.134[.]11:80 - yandex[.]ru - GET /
• 12:48:17 UTC - 93.158.134[.]3:80 - www.yandex[.]ru - GET /
• 12:48:50 UTC - 134.19.180[.]30:443 - HTTPS traffic to indalusia[.]com
• 12:48:54 UTC - 134.19.180[.]30:443 - HTTPS traffic to indalusia[.]com
• 12:49:00 UTC - 109.236.87[.]219:80 - stonepacific[.]in - GET /ivetta/not.exe
• 12:49:12 UTC - 109.236.87[.]219:80 - stonepacific[.]in - GET /ivetta/not.exe
• 12:49:24 UTC - 109.236.87[.]219:80 - stonepacific[.]in - GET /ivetta/not.exe
• 12:49:36 UTC - 109.236.87[.]219:80 - stonepacific[.]in - GET /ivetta/not.exe
• 12:49:48 UTC - 109.236.87[.]219:80 - stonepacific[.]in - GET /ivetta/not.exe

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT

File name:  2014-10-30-Angler-EK-flash-exploit.swf
File size:  87,352 bytes
MD5 hash:  23812c5a1d33c9ce61b0882f860d79d6
Detection ratio:  3 / 54
First submission:  2014-10-29 10:25:53 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4d29e6e210483817f5a203f8952f9add016bd334d96cd408021a22d8ed43fd66/analysis/

 

JAVA EXPLOIT

File name:  2014-10-30-Angler-EK-java-exploit.jar
File size:  28,769 bytes
MD5 hash:  ed39baded73b3b363d37b6715eba5e47
Detection ratio:  14 / 53
First submission:  2014-10-22 20:11:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1741514c12840e657f5e71c269a2ea65135b50dfba6a9a0d757e702072d65d6/analysis/

 

MALWARE PAYLOAD

File name:  2014-10-30-Angler-EK-malware-payload.dll
File size:  172,944 bytes
MD5 hash:  ad666429dfe01397cb331ae4a1aa53bb
Detection ratio:  23 / 53
First submission:  2014-10-30 15:14:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3c81e1d4550d451c8140c9d4c94fd13ef1886c1aee26f914b9da541a7b3ffd25/analysis/

 

FOLLOW-UP MALWARE

• Downloaded as:  stonepacific[.]in - GET /ivetta/not.exe (MD5 hash: 4adbf26312d2396def56939fbb204a05)
• Saved to the infected VM as:  C:\ProgramData\Windows Genuine Advantage\{B5A81EAD-A1DB-4B01-99A6-E7C61DFD2289}\msiexec.exe
  (MD5 hash also: 4adbf26312d2396def56939fbb204a05)
• When run, copies itself to:  C:\Users\[username]\AppData\Roaming\Ydvon\cydoo.exe (new MD5 hash: c9f3dddb423b761e401ec6459f1e0733)

File name:  msiexec.exe
File size:  315,904 bytes
MD5 hash:  4adbf26312d2396def56939fbb204a05
Detection ratio:  3 / 53
First submission:  2014-10-30 15:17:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/15f2f44137fdd1d0f754a37ae3ad807fc47daed45f9c7effc5cab200fa4a22b8/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 2014-10-30 12:37:13 UTC - 184.168.204[.]1:80 - ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST (sid:2018442)
• 2014-10-30 12:37:19 UTC - 208.76.52[.]55:80 - ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014 (sid:2019224)
• 2014-10-30 12:37:19 UTC - 208.76.52[.]55:80 - ET CURRENT_EVENTS Angler EK Oct 22 2014 (sid:2019488)
• 2014-10-30 12:37:28 UTC - 208.76.52[.]55:80 - ET CURRENT_EVENTS Angler Encoded Shellcode IE (sid:2018954)
• 2014-10-30 12:37:37 UTC - 208.76.52[.]55:80 - ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct (sid:2019513)
• 2014-10-30 12:37:48 UTC - 208.76.52[.]55:80 - ET CURRENT_EVENTS Angler EK Java Exploit URI Struct (sid:2019514)
• 2014-10-30 12:38:07 UTC - [internal server]:53 - 1ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses (sid:2018316)
• 2014-10-30 12:49:00 UTC - 109.236.87[.]219:80 - ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe (sid:2018403)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor events):

• 2014-10-30 12:37:13 UTC - 184.168.204[.]1:80 - [1:30920:1] EXPLOIT-KIT Multiple exploit kit redirection gate
• 2014-10-30 12:37:28 UTC - 208.76.52[.]55:80 - [1:31900:1] EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected (x4)
• 2014-10-30 12:37:38 UTC - 208.76.52[.]55:80 - [1:31902:1] EXPLOIT-KIT Multiple exploit kit flash file download
• 2014-10-30 12:49:01 UTC - 109.236.87[.]219:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:01 UTC - 109.236.87[.]219:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:13 UTC - 109.236.87[.]219:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:13 UTC - 109.236.87[.]219:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:24 UTC - 109.236.87[.]219:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:24 UTC - 109.236.87[.]219:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:37 UTC - 109.236.87[.]219:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:37 UTC - 109.236.87[.]219:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2014-10-30 12:49:48 UTC - 109.236.87[.]219:80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 2014-10-30 12:49:48 UTC - 109.236.87[.]219:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected

 

SCREENSHOTS FROM THE TRAFFIC

Malicious script in page from compromised website:

 

Flash file and 32x32 gate redirecting to Angler EK:

 

Angler EK delivers the obfuscated malware payload:

 

Deobfuscate the payload, and you'll find shellcode followed by the malicious binary in the same file:

 

Carve out the binary, and it appears the de-obfuscation worked:

 

Click here to return to the main page.