Here is some data assembled from Multiple Pcap’s.
I have downloaded All (almost all I’m sure I missed a couple) Pcap files and extracted every readable Angler EK landing page from those Pcap’s.
My final count for the date ranges of July 10, 2014 21:23:51 to June 02, 2016 12:02:25 was 149 Landing pages. These pages include multiple runs against the same site and in some cases where there were multiple redirects to different landing pages from the same site in 1 Pcap file. This leads me to think that some sort of automated process is used to infect the sites with.
I encountered 7 top level encoding types. The types were determined first by the string replacement function and then by the Decoding function.
This is my type 7
Although there were 7 string encoding types there were only 3 decoding functions used after doing the string replacements . The first 2 were different from what I am calling types 3-7.
Types 3-7 are using the Xtea encryption using the Right Shift Zero fill function rather than the earlier version of just plain right Shift.
Here we see what the total count for each type that’s in the 149 landing pages that were extracted.
Although you can easily decode all 7 types with Html /Java Script I only Decoded All of type 1 and 2 encoding types to the first level , I did not decode all of the types 3-7 just some of them.
With the few amounts of type 3-7 it makes me wonder if those are possibly a third party using Angler EK for a targeted attack or I just don’t have enough data to show more of those types.
Those that have been following along with all of the post on Angler EK have seen some of the changes that have taken place over time. Going thru all of these Pcaps you can see even more than what has been reported with the way code sections have been moved around and the code changed.
As was reported by Kafeine in April of 2014 Here , there was a reference to their site that showed up in the Angler EK.
If we take a look at the big picture on this one we see there is not a lot in this section.
We last see this reference in the packet captures on 2016-03-03 where they rearranged the scripts and sections, this page now looks like this on 2016-03-07 and the reference to malware.dontneedcoffee.com is no longer found.
I guess they needed the real-estate to move things around.
I will be calling the sections that gets decoded with the code in them as “Sections” , I number them from top to bottom like the way the page gets evaluated as it runs.
The number of sections that get decoded is between 4 –6 . It was down to 4 after the Java and the Silverlight were removed.
There is also a section that I will call the “Lower Section” that is included in every landing page with the changing encoded variable names associated with the site name.
There have been a few different ways that this section appears. Some have the same name and just use an index number, some use a different name and a index number, and those like above that use different names. Not all of those values get decoded before getting used in the building of the pages. Some get used as is. I have also seen different amounts of variables in this section. Most of the time once decoded the Host name is listed under two different index values. Like in this one you can see that the index 1 and 7 are the same strings. (index starts with 0)
You used to always find this section at the bottom of the decoding script for the sections but has moved to the top in some of the landing pages.
Section 1 code:
In the older versions when we decode “Section 1” we see this.
Then they changed to this.
In the Pcap from 2016-01-29 they added a new section 1 thus shoving the rest of the pages back. This is what the new section 1 looks like after that date.
Although the variable name in the window section changes and the number “1” will change on occasion but other than that it stays pretty much the same.
In the first 3 Pcaps there were all 3 types of exploits, Flash , Silverlight , and Java Applet.
Unless I’m missing something after November 02, 2014 15:50:34 the Java was no longer used.
Starting on April 01, 2015 18:44:24 thru February 15, 2016 14:06:51 the Silverlight code was missing from most of the Pcaps.
In July 03, 2015 11:14:44 we see it show up in section 4.
On 2016-02-19 we find that it was moved to a new Section 6.
Payload Section ?
What I believe is the payload section comes in 2 flavors ,Scripts or what I’m calling, do to a lack of a better name of K33N this one has 2 encoding types. If someone has a better name please let me know.
The scripts were used up to July 23, 2015 13:50:21 exclusively until my type K33N Type 1 showed up.
The script looks like this.
This first part I believe is the payload that gets decoded later.
The second part consist of 2 hex encoded scripts, 1 Java script and 1 VBScript.
This is what the java script looks like encoded (above) and after decoding (below).
Even after decoding the VBScript one it is still rather obfuscated and hard to follow along with at first so I won’t show it here.
Here we see my K33N Type 1 encoding.
I only logged 3 of that type and then they Moved to Type 2 at August 13, 2015 08:00:06.
Once you decode this section you see this.
Even once you decode down to this level there are (at least) still 3 more decode functions to fully decode this section. I believe the payload is contained in this section but have not had the time yet to verify it.
Above we see that this is variable “a” (section 3) later on it is moved to variable “b” (section 4) and the script around it changes some.
In the Pcap on April 22, 2016 08:00:47
we see yet another major change in this section.
The Encoded part looks similar to the older Type 2.
We get a surprise once it is decoded.
Although more of the code is showing that is readable there are still more parts that get decoded to get the full picture Including the section shown below.
It appears as though more of the code was not put into the Base64 encoded section.
In this newer type this section is smaller which tells me that part of this code was in this Base 64 section in the older versions and possibly even the decoding key that other researchers have found using dynamic analysis and posted about.
Well that’s it for now there is still a lot of data here to go thru and lots more sections to decode to get a full view of the code. Attempting to decode this is not for the easily deterred, you just keep finding layer after layer of encoded sections.
I hope someone gets something useful out of all of this.