Angler Exploit Kit - Recent Traffic Patterns
Angler exploit kit (EK) has changed URL patterns (again) during the past month. I infected a Windows host so we can take a closer look. Let's see what Angler has been up to. First, here are the Angler EK URL patterns noted in traffic from an infected host:
The domains and URLs change frequently, and I saw several different URL patterns while using different Windows hosts to get a full infection chain. Below is an image of the landing page URL:
Further down in the HTML, you can see some of the obfuscated code designed to set off an infection chain of events.
Next, Angler EK sends a Flash exploit:
And finally, we have the HTTP GET request Angler EK used to send the malware payload:
The malware payload is encrypted. As early as August 2014, Angler EK has been using a “file-less” infection method, so it won’t write this payload to the disk [1].
However, artifacts are left behind after the infection. Why? The infected host needs to keep the malware persistent on the system after a reboot. Below are some of the files, directories, and registry keys used to keep the malware persistent on this infected host:
The persistent malware is usually named after a legitimate system file, in this case: dhcpcsv.dll
You can find a copy of this malicious file at: https://malwr.com/analysis/ZjIxOTViNjM2N2YzNGQ1YWI1NzNlYjkzZjI0ZTEyMjQ/
What about traffic from the infected host? Below is a screenshot of the Angler EK and post-infection traffic from Wireshark:
Using Security Onion to monitor the infection traffic, you’ll find alerts typical for Angler EK followed by Bedep. Microsoft has an entry in the company’s threat encyclopedia that describes Bedep, and it matches the patterns seen during today’s infection traffic [2].
I have a similar example of this Angler/Bedep traffic from 2015-04-01 available at: http://malware-traffic-analysis.net/2015/04/01/index.html
Keep monitoring your networks. Compromised websites are everywhere, and this type of traffic happens more often than you think!
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
[2] http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Bedep#tab=2
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago