In this Traffic we get the chance to look at 2 infections from the same site, but I will concentrate mainly on the exploit kits themselves and the similarities between them noticed while looking at the decoded source code.
You can find Pcap for this Here,
I may still be fairly new at network traffic analysis but I’m not that new to viewing various types and “Styles” of code.
Although I have been looking at Angler EK for over a year now this is my first look at the Nuclear EK.
We first look at the exploited or compromised website to view the code that will redirect us eventually to the exploit kit of choice for this compromise. For some reason they chose to infect this site twice with 2 different exploit kits. Perhaps the infections are automated and not being checked for any previous infections, or perhaps it was a race to see who’s kit infected first.
Here is a view of the code from the compromised page.
As we can see here they chose not to obfuscate the redirect for the Nuclear EK but did for the Angler EK.
If we look at the final landing page for both we can see a similar encoding style.
Both of these use a Modified Base64 decoding scheme but the Angler EK also requires an embed decryption key to decode the sections used.
The current Angler EK with the Flash and the Silverlight exploits have 6 sections that get decoded along with another section that the parameters get decoded from using a different encoding scheme. The nuclear EK in this one only has 2 large sections that get decoded.
Here we also see that the Nuclear EK is employing reversed strings to obfuscate what it is doing and to help hide from string searches.
If we look at this post from FireEye entitled,
“ANGLER EXPLOIT KIT USING K33NTEAM’S OCTOBER INTERNET EXPLORER USE AFTER FREE”
We can see some similarities of what is used here.
The layout for the Angler EK is more alike to the screenshots in the blog article but both are serving up a flash exploit. Also notice the object Id has moved to the left side in this version of the Angler EK.
Looking at the embedded exploit for angler we see it is again very similar to the above mentioned blog article but it is showing more code to decode this section.
In the Nuclear EK version we see a little different decoding scheme.
This version can “currently” be decoded with a standard bas64 decoder.
Once we get these decoded then we start seeing the similarities again but they are not exact. In these 2 screenshots we see, based on reading other articles, what may be the final encrypted payload.
As we have see so far these are highly obfuscated and highly complicated Exploit kits.
The modular nature of them allows for semi-quick changes in the payload and the kit builder most likely employs the ability for randomize naming of the variables to make it more difficult for a researcher to follow along from one infection to the next.
In conclusion these kits are very complicated and not easily decoded and I am far from discovering all of the secrets they have to offer. Every time you think you figured it out you find yet another layer of encryption/obfuscation. This is more than enough to put off all but the most dedicated of researchers. Also in order to stay ahead of detections they often change various aspects of the encoding scheme to throw off any signatures that may be generated for them and to break tools designed to decode them. This post is a little shorter than normal.
Thanks for reading if you made it this far.