Some data on Angler Exploit Kit

Here is some data assembled from Multiple Pcap’s.

First I would like to thank Brad @malware_traffic for all of the Pcap’s and write-ups posted on http://www.malware-traffic-analysis.net/.

I have downloaded All (almost all I’m sure I missed a couple) Pcap files and extracted every readable Angler EK landing page from those Pcap’s.

My final count for the date ranges of July 10, 2014 21:23:51 to  June 02, 2016 12:02:25 was 149 Landing pages. These pages include multiple runs against the same site and in some cases where there were multiple redirects to different landing pages from the same site in 1 Pcap file. This leads me to think that some sort of automated process is used to infect the sites with.

Encoding Types:

I encountered 7 top level encoding types. The types were determined first by the string replacement function and then by the Decoding function.

This is my type 7

type7

Although there were 7  string encoding types there were only 3 decoding functions used  after doing the string replacements . The first 2 were different from what I am calling types  3-7.

Types 3-7 are using the Xtea encryption using the Right Shift Zero fill function rather than the earlier version of just plain right Shift. 

Xtea

Here we see what the total count for each type that’s in the 149 landing pages that were extracted.

EncodingTypeCount

Although you can easily decode all 7 types with Html  /Java Script I only Decoded All of type 1 and 2 encoding types  to the first level  , I did not decode all of the types 3-7 just some of them.

With the few amounts of type 3-7 it makes me wonder if those are possibly a third party using Angler EK for a targeted attack or I just don’t have enough data to show more of those types.

Those that have been following along with all of the post on Angler EK have seen some of the changes that have taken place over time. Going thru all of these Pcaps you can see even more than what has been reported with the way code sections have been moved around and the code changed.

Changes:

As was reported by Kafeine in April of 2014 Here , there was a reference to their site that showed up in the Angler EK.

dontneedcoffee

If we take a look at the big picture on this one we see there is not a lot in this section.

Section3PNG

We last see this reference  in the packet captures on 2016-03-03 where they rearranged the scripts and sections, this page now looks like this on 2016-03-07 and the reference to malware.dontneedcoffee.com is no longer found.

NewSection3

I guess they needed the real-estate to move things around.

I will be calling the sections that gets decoded with the code in them as “Sections” , I number them from top to bottom like the way the  page gets evaluated as it runs.

The number of sections that get decoded is between 4 –6 . It was down to 4 after the Java and the Silverlight were removed.

There is also a section that I will call the “Lower Section” that is included in every landing page with the changing encoded variable names associated with the site name.

LowerSection

There have been a few different ways that this section appears. Some have the same name and just use an index number, some use a different name and a index number, and those like above that use different names. Not all of those values get decoded before getting used in the building of the pages. Some get used as is. I have also seen different amounts of variables in this section. Most of the time once decoded the Host name is listed under two different index values. Like in this one you can see that the index 1 and 7 are the same strings. (index starts with 0)

You used to always find this section at the bottom of the decoding script for the sections but has moved to the top in some of the landing pages.

Section 1 code:

In the older versions when we decode “Section 1” we see this.

OldSection-1

Then they changed to this.

NewerSection1

In the Pcap from 2016-01-29 they added a new section 1 thus shoving the rest of the pages back. This is what the new section 1 looks like after that date.

NewSection1

Although the variable name in the window section changes and the number “1” will change on occasion but other than that it stays pretty much the same.

 

Exploit Type:

In the first 3 Pcaps there were all 3 types of exploits, Flash , Silverlight , and Java Applet.

Java

Unless I’m missing something after November 02, 2014 15:50:34 the Java was no longer used.

Silverlight:

Starting on April 01, 2015 18:44:24 thru February 15, 2016 14:06:51 the Silverlight code was missing from most of the Pcaps.

In July 03, 2015 11:14:44 we see it show up in section 4.

SilverLight

On 2016-02-19 we find that it was moved to a  new Section 6.

 

SilverToSect6

Payload Section ?

What I believe is the payload section comes in 2 flavors ,Scripts or what I’m calling, do to a lack of a better name of K33N this one has 2 encoding types. If someone has a better name please let me know.

The scripts were used up to July 23, 2015 13:50:21 exclusively until my type K33N Type 1 showed up.

The script looks like this.

Script1

This first part I believe is the payload that gets decoded later.

The second part consist of 2 hex encoded scripts, 1 Java script and 1 VBScript.

Script2

This is what the java script looks like encoded (above) and after decoding (below).

JavaAfter

Even after decoding the VBScript one it is still rather obfuscated and hard to follow along with at first so I won’t show it here.

Here we see my K33N Type 1 encoding.

K33NType1

I only logged 3 of that type and then they Moved to Type 2 at  August 13, 2015 08:00:06.

K33N2

Once you decode this section you see this.

K33N2-Dec

Even once you decode down to this level there are (at least) still 3 more decode functions to fully decode this section. I believe the payload is contained in this section but have not had the time yet to verify it.

Above we see that this is variable “a” (section 3)  later on it is moved to variable “b” (section 4)  and the script around it changes some.

In the Pcap on April 22, 2016 08:00:47

we see yet another major change in this section.

The Encoded part looks similar to the older Type 2.

NewK33N 

We get a surprise once it is decoded.

K33NType2-B

Although more of the code is showing that is readable there are still more parts that get decoded to get the full picture  Including the section shown below.

It appears as though more of the code was not put into the Base64 encoded section.

B64Section

In this newer type this section is smaller which tells me that part of this code was in this Base 64 section in the older versions and possibly even the decoding key that other researchers have found using dynamic analysis and posted about.

Well that’s it for now there is still a lot of data here to go thru and lots more sections to decode to get a full view of the code. Attempting to decode this is not for the easily deterred, you just keep finding layer after layer of encoded sections.

I hope someone gets something useful out of all of this.

 

 

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, Networking, security and tagged , . Bookmark the permalink.

2 Responses to Some data on Angler Exploit Kit

  1. MR.K says:

    Nice article, I was wondering If you could do a little step by step tutorial on how to decode the AnglerEK. I had my head busted over this one, at some point I’ve managed to partially decode
    some parts of it by using JSDetox and Revelo. But if you could share a bit of your working procedure it would be great.
    Thanks!

    • In a way it is as easy as deobfuscationg the decode functions drop them and the string to decode into a html/java script page.
      Or use your favorite programing language and build a decoder. Some do require a decoding key.
      The problem is there are so many layers so it will require several “decoders” to fully decode this exploit kit.

Comments are closed.