Angler EK—Ixia ATI is Stalking It.
It’s a little over six months since one of Ixia’s senior security researchers published a blog on Angler, including the ways to de-obfuscate it. From its onset in 2013, Angler has unfortunately grown in strength and has become a most-coveted tool for attackers. As Wei had mentioned in his earlier blog, even at its onset it had used several techniques like HTTP Redirection, 302 cushioning, Domain Shadowing, etc. It has also managed to evolve to help evade the common security tools. According to some estimates, Angler EK has compromised more than 90,000 websites. Its ability to compromise popular websites differentiates it from its competitors.
What’s Angler Up To?
Enviable Exploit Cache: Angler as an exploit kit (EK) is extremely agile and has a rich, continuously growing database of exploits. Its agility has been observed when it was quickest to exploit a recently patched Silverlight vulnerability, CVE-2016-0034. Similarly, since most of its landing pages include flash and ActiveX components, they are consistently exploiting flash (CVE-2015-8446 or the more recent CVE-2016-1019) and ActiveX (CVE-2015-8561) vulnerabilities, keeping its contents updated and relevant.
Unique methodologies and Extreme Obfuscation: Angler uses a combination of different methodologies like the Domain Name generating algorithm to consistently generate new domains, use of hacked DNS to perform domain shadowing, HTTP redirection injected within compromised website by using iFrame-Inline HTML Frame to redirect traffic from compromised website. Angler has multiple layers of obfuscation in its landing pages, like encoding of its main scripts within HTML, using all possible anti-sandbox methods, dynamic code generation, multi-layer encryption. Some of the techniques and the decoding key has been covered in the previously mentioned blog.
Ransomware Drops: Like the rest of the cyber underworld, Angler has predictably jumped into the ransomware bandwagon. Increasingly, Angler has been adding newer ransomware in its malware cache. We had observed the spurt with the Teslacrypt ransomware trojan becoming the dominant malware in Angler, and our suspicion was confirmed with Angler EK now sending updated version of CryptXXX and Locky. Apart from ransomware, they also have a knack of providing sophisticated malvertising loaders like Bedep.
What Are ATI Researchers Doing?
To keep up with Angler, Ixia’s ATI researchers have been closely following (“stalking” may be a better word) Angler spawns and updating the ATI strike packs on a regular basis. This ensures Ixia’s BreakingPoint customers who leverage the ATI have sufficient validation of their device or network in their capability to block Angler.
Following the Exploits: ATI has incrementally added and will continue to add most of the popular exploits that angler has been using. The Strike Center will provide you the exploits that Angler was using during its onset in 2013 to the most recent in 2016. For example, the recent Microsoft Silverlight vulnerability-CVE-2016-0034 that Angler was quick to exploit has also been added in our latest strike pack that can be downloaded here. ATI has also added a variety of application exploits like Flash, Internet Explorer, and ActiveX that are regularly exploited by Angler. All such exploits can also be coupled with BreakingPoint’s highly sophisticated evasion techniques.
The BreakingPoint strikes showing the set of Angler exploits
Emulating the Methodology: ATI researchers have added a complete methodology inside BreakingPoint that simulates one of the infected machines being redirected to an Angler landing page, that follows a malicious Flash request and download followed by a ransomware request and download. Post infection, it will also simulate ransomware phoning the host server, and requesting and downloading bitcoin a payment page. In BreakingPoint, users can search “Angler” under Test -> Open Test to find the canned test case.
A replicated Angler methodology executed through BreakingPoint.
The canned test case can be edited and the highly customizable Super Flow of Angler EK can be modified to replicate hundreds of different methodologies and obfuscation techniques that Angler may try. With BreakingPoint packet capture, more in-depth security research can be done using detailed flow analysis.
Wireshark capture of a test run of BreakingPoint’s canned Angler flow
Keeping up with the Malware: As with Angler, Ixia has also stepped-up its malware game. Every month Ixia releases a new set of high-profile malware, with some having accompanied botnet traffic. Ixia’s ATI team is also showering special attention on the Angler malware and Ransomware. In the past, the Strike Center included popular malware dropped by Angler like Teslacrypt, Petya, Samsam, and Cryptolocker. In its latest malware release, ATI has added CryptXXX and Bedep that were used by Angler most recently. These and other such malware are also being used by similar exploit kits.
A BreakingPoint strike with a collection of ransomware
Keeping it Real: BreakingPoint provides the capability to generate a mix of enterprise applications at scale. Its Network Neighborhood can create complex network environments at a click of a button. Generating Angler attack scenarios in such realistic environments—with a heavy load of background traffic running in parallel—puts the security mechanisms of the network or devices into the most realistic Angler defense test possible.
Few Last Words.
The world of cyber-security is challenging because what’s new and important today will be outdated and irrelevant tomorrow. Angler as an exploit kit has realized this and has evolved more than its peers. To counter it consistently, security solutions need to move faster. Ixia’s ATI team, along with countless peers, fellow security researchers, and colleagues, will continue to stalk Angler. Together, we would continue to fight and counter such cyber-threats to make the connected world safer.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.