Angler Exploit Kit Deobfuscation and Analysis
Angler Exploit Kit (EK) is one of the most sophisticated exploit kits in the world, used by cybercriminals to deliver diverse malware to compromised websites and infect victims. Angler EK first appeared in late 2013, and its authors have been adding new evasion features frequently to it ever since.
Angler EK’s exploit code and malware payload are highly obfuscated in order to bypass IDS/IPS. The kit uses 302 cushioning and Domain Shadowing to evade detection, and it checks anti-virus software and the virtualized environment before running the exploit. The Angler EK also includes a feature called “Fileless infection ” to infect a victim without writing malware on the drive.
Furthermore, Angler EK is still evolving. It is continually adding new IP addresses, domains, and subdomains to host exploits and malware. Angler EK also may use Zero-day vulnerability, such as “Hacking Team” vulnerabilities (CVE-2015-5119, CVE-2015-5122) in its exploitation activities. These features make Angler EK itself very difficult to detect by the majority of today’s security defenses. Due to these features, Angler EK is reaching prolific scale. Accounting to the Distribution of Exploit Kit Activity as measured by detection telemetry based on a week’s worth of data in May 2015 , Angler EK has begun to dominate the market in exploit kits.
Angler EK starts with a compromised legitimate website and uses this to redirect its visitors to an actual landing page. HTML iframe can be used to redirect the traffic and make detection more difficult. However, in order to evade detection by signature-based IDS/IPS, more and more redirection methods have recently been used in Angler EK. 302 Cushioning  or cushion attack is used to redirect a victim’s browser to a compromised web site. Domain shadowing is also used in Angler EK to bypass the domain URL blocklists and make it difficult to create an IOC list.
In this blog, we will use sample pcap files to take a closer look at the Angler EK. The sample pcaps are from www.malware-traffic-analysis.net
In this example, the compromised website uses iframe to redirect the victim’s browser to the Angler EK’s landing page.
Angler EK Landing Page
Thousands of new Angler EK landing pages are emerging. In order to make detection more difficult and frustrate security researchers, the landing page uses many obfuscation methods. The Angler EK landing page consists of four elements:
- Plain English Text
- Paragraph element (Obfuscated JS code)
- Deobfuscation functions
- Encrypted URLs and Exploit paths
The first obfuscation method is plain English text, which may quote from the author Jane Austen's novel, Sense and Sensibility.
The second obfuscation element of the Angler EK landing page is the paragraph element in the HTML, which can be deobfuscated by the deobfuscation functions in the landing page.
The third element of the landing page is deobfuscation function, which grabs the paragraph elements, decodes them, and then decrypts them. The deobfuscation function is highly deobfuscated in the landing page to bypass IDS/IPS signatures.
The last element is encrypted URLs and exploit paths, which can be used to download and execute the malware payload. The encrypted URL may include the name of the server hosting the exploit kit or the path used to locate Silverlight or flash content.
After deobfuscation of the Angler EK landing page, we found its environment check section. The Angler EK checks some installed Kaspersky ActiveX control as well as IE browser.
It also check whether the running environment is sandbox by going through a checklist that contains specific file paths and files:
Decryption of URL:
Here, we can see the decryption function for the encrypted URLs in the Angler EK. It uses “LGWZsrv1LGWZsrvIc3” as the default decryption key, which is shown in this figure. We can easily rewrite this JS code and decrypt the encrypted URLs.
Here, we rewrote this code and decrypted the URL:
Here, we got the host name and request page.
Dropper and Payload:
The Angler EK will do more browser and system checking. In this code, it will check whether it is an IR, and whether it is running on x32 or x64.
The dropper will be loaded into memory after the IE is compromised. Shellcode is partly encrypted. The default decryption key is “Du9J08gkbfzGvmFF” as shown in this figure.
CVE-2013-2551(Microsoft Internet Explorer COALineDashStyleArray Integer Overflow):
To the left is the actual vulnerability used in the Angler EK; to the right is the POC code of CVE-2013-2551. After analysis, we found that this Angler EK sample is using the CVE-2014-2551 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow.
Other vulnerabilities used in Angler EK are listed in the following table:
Angler EK is a very sophisticated attack and is still continually evolving. This exploit kit is almost impossible to detect by the majority of today’s security defenses. In this blog, we try to analyze Angler EK behavior and its exploit landing page, and to identify its encode and obfuscation methods. As we can see, Angler EK tries to use numerous method variations, such as obfuscation, AV product, sandbox check, payload encryption, and fileless injection to defeat traditional detection methods.
Ixia ATI is introducing the Angler Exploit Kit canned test, which emulates Angler EK communication behavior. In addition, the Nuclear Exploit Kit canned test is under development and will be released soon.