Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Angler Exploit Kit Deobfuscation and Analysis

October 7, 2015 by Wei Gao

Angler Exploit Kit (EK) is one of the most sophisticated exploit kits in the world, used by cybercriminals to deliver diverse malware to compromised websites and infect victims. Angler EK first appeared in late 2013, and its authors have been adding new evasion features frequently to it ever since.

Angler EK’s exploit code and malware payload are highly obfuscated in order to bypass IDS/IPS. The kit uses 302 cushioning and Domain Shadowing to evade detection, and it checks anti-virus software and the virtualized environment before running the exploit. The Angler EK also includes a feature called “Fileless infection [2]” to infect a victim without writing malware on the drive.

Furthermore, Angler EK is still evolving. It is continually adding new IP addresses, domains, and subdomains to host exploits and malware. Angler EK also may use Zero-day vulnerability, such as “Hacking Team” vulnerabilities (CVE-2015-5119, CVE-2015-5122) in its exploitation activities. These features make Angler EK itself very difficult to detect by the majority of today’s security defenses. Due to these features, Angler EK is reaching prolific scale. Accounting to the Distribution of Exploit Kit Activity as measured by detection telemetry based on a week’s worth of data in May 2015 [1], Angler EK has begun to dominate the market in exploit kits.

attacks_1.png

Angler EK starts with a compromised legitimate website and uses this to redirect its visitors to an actual landing page. HTML iframe can be used to redirect the traffic and make detection more difficult. However, in order to evade detection by signature-based IDS/IPS, more and more redirection methods have recently been used in Angler EK. 302 Cushioning [3] or cushion attack is used to redirect a victim’s browser to a compromised web site. Domain shadowing is also used in Angler EK to bypass the domain URL blocklists and make it difficult to create an IOC list.

In this blog, we will use sample pcap files to take a closer look at the Angler EK. The sample pcaps are from www.malware-traffic-analysis.net

HTTP Redirection

In this example, the compromised website uses iframe to redirect the victim’s browser to the Angler EK’s landing page.

attacks_2.png

Angler EK Landing Page

Thousands of new Angler EK landing pages are emerging. In order to make detection more difficult and frustrate security researchers, the landing page uses many obfuscation methods. The Angler EK landing page consists of four elements:

  • Plain English Text
  • Paragraph element (Obfuscated JS code)
  • Deobfuscation functions
  • Encrypted URLs and Exploit paths

The first obfuscation method is plain English text, which may quote from the author Jane Austen's novel, Sense and Sensibility.

attacks_3.png

The second obfuscation element of the Angler EK landing page is the paragraph element in the HTML, which can be deobfuscated by the deobfuscation functions in the landing page.

attacks_4.png

The third element of the landing page is deobfuscation function, which grabs the paragraph elements, decodes them, and then decrypts them. The deobfuscation function is highly deobfuscated in the landing page to bypass IDS/IPS signatures.

attacks_5.png

The last element is encrypted URLs and exploit paths, which can be used to download and execute the malware payload. The encrypted URL may include the name of the server hosting the exploit kit or the path used to locate Silverlight or flash content.

attacks_6.png

Environment Check:

After deobfuscation of the Angler EK landing page, we found its environment check section. The Angler EK checks some installed Kaspersky ActiveX control as well as IE browser.

attacks_7.png

It also check whether the running environment is sandbox by going through a checklist that contains specific file paths and files:

attacks_8.png

Decryption of URL:

Here, we can see the decryption function for the encrypted URLs in the Angler EK. It uses “LGWZsrv1LGWZsrvIc3” as the default decryption key, which is shown in this figure. We can easily rewrite this JS code and decrypt the encrypted URLs.

attacks_9.png

Here, we rewrote this code and decrypted the URL:

attacks_10.png

attacks_11.png

Here, we got the host name and request page.

Dropper and Payload:

The Angler EK will do more browser and system checking. In this code, it will check whether it is an IR, and whether it is running on x32 or x64.

attacks_12.png

The dropper will be loaded into memory after the IE is compromised. Shellcode is partly encrypted. The default decryption key is “Du9J08gkbfzGvmFF” as shown in this figure.

attacks_13.png

After deobfuscation, we found that the Angler EK uses highly obfuscated JavaScript code to bypass IDS/IPS detection and make security researchers spend more time on it. Also, Angler EK has code to check the AV product and VM product. Furthermore, the payload will be encrypted and encoded during the sending stage. All of these features make detection more difficult.

CVE-2013-2551(Microsoft Internet Explorer COALineDashStyleArray Integer Overflow):

attacks_14a.pngattacks_14b.png

To the left is the actual vulnerability used in the Angler EK; to the right is the POC code of CVE-2013-2551. After analysis, we found that this Angler EK sample is using the CVE-2014-2551 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow.

Other vulnerabilities used in Angler EK are listed in the following table:

Product CVE
IE

CVE-2015-2419

CVE-2014-0322

CVE-2014-1776

CVE-2014-4130

CVE-2013-2551

CVE-2013-7331

Flash CVE-2015-5560 CVE-2015-5122

CVE-2015-5119

CVE-2015-3113

CVE-2015-3104

CVE-2015-3090

CVE-2015-2419

CVE-2015-0359

CVE-2015-0336

CVE-2015-0313

CVE-2015-0311

CVE-2015-0310

CVE-2014-8440

CVE-2014-8439

CVE-2014-0515

CVE-2014-0497

CVE-2013-5329
Silverlight CVE-2015-1617

CVE-2013-0074

CVE-2013-3896
 

Summary

Angler EK is a very sophisticated attack and is still continually evolving. This exploit kit is almost impossible to detect by the majority of today’s security defenses. In this blog, we try to analyze Angler EK behavior and its exploit landing page, and to identify its encode and obfuscation methods. As we can see, Angler EK tries to use numerous method variations, such as obfuscation, AV product, sandbox check, payload encryption, and fileless injection to defeat traditional detection methods.

Ixia ATI is introducing the Angler Exploit Kit canned test, which emulates Angler EK communication behavior. In addition, the Nuclear Exploit Kit canned test is under development and will be released soon.

Additional Resources:

Ixia ATI subscription

 

References:

[1] https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

[2] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

[3] http://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html