Angler Exploit Kit Deobfuscation and Analysis
By Wei Gao | Angler Exploit Kit (EK) is one of the most sophisticated exploit kits in the world, used by cybercriminals to deliver diverse malware to compromised websites and infect victims. Angler EK first appeared in late 2013, and its authors have been adding new evasion features frequently to it ever since.
Angler EK’s exploit code and malware payload are highly obfuscated in order to bypass IDS/IPS. The kit uses 302 cushioning and Domain Shadowing to evade detection, and it checks anti-virus software and the virtualized environment before running the exploit. The Angler EK also includes a feature called “Fileless infection [2]” to infect a victim without writing malware on the drive.
Furthermore, Angler EK is still evolving. It is continually adding new IP addresses, domains, and subdomains to host exploits and malware. Angler EK also may use Zero-day vulnerability, such as “Hacking Team” vulnerabilities (CVE-2015-5119, CVE-2015-5122) in its exploitation activities. These features make Angler EK itself very difficult to detect by the majority of today’s security defenses. Due to these features, Angler EK is reaching a prolific scale. Accounting to the Distribution of Exploit Kit Activity as measured by detection telemetry based on a week’s worth of data in May 2015 [1], Angler EK has begun to dominate the market in exploit kits.
Angler EK starts with a compromised legitimate website and uses this to redirect its visitors to an actual landing page. HTML iframe can be used to redirect the traffic and make detection more difficult. However, in order to evade detection by signature-based IDS/IPS, more and more redirection methods have recently been used in Angler EK. 302 Cushioning [3] or cushion attack is used to redirect a victim’s browser to a compromised website. Domain shadowing is also used in Angler EK to bypass the domain URL blocklists and make it difficult to create an IOC list.
In this blog, we will use sample pcap files to take a closer look at the Angler EK. The sample pcaps are from www.malware-traffic-analysis.net
HTTP Redirection
In this example, the compromised website uses iframe to redirect the victim’s browser to the Angler EK’s landing page.
Angler EK Landing Page
Thousands of new Angler EK landing pages are emerging. In order to make detection more difficult and frustrate security researchers, the landing page uses many obfuscation methods. The Angler EK landing page consists of four elements:
- Plain English Text
- Paragraph element (Obfuscated JS code)
- Deobfuscation functions
- Encrypted URLs and Exploit paths
The first obfuscation method is plain English text, which may quote from the author Jane Austen's novel, Sense and Sensibility.
The second obfuscation element of the Angler EK landing page is the paragraph element in the HTML, which can be deobfuscated by the deobfuscation functions in the landing page.
The third element of the landing page is deobfuscation function, which grabs the paragraph elements, decodes them, and then decrypts them. The deobfuscation function is highly deobfuscated in the landing page to bypass IDS/IPS signatures.
The last element is encrypted URLs and exploit paths, which can be used to download and execute the malware payload. The encrypted URL may include the name of the server hosting the exploit kit or the path used to locate Silverlight or flash content.
Environment Check:
After deobfuscation of the Angler EK landing page, we found its environment check section. The Angler EK checks some installed Kaspersky ActiveX control as well as IE browser.
It also checks whether the running environment is sandbox by going through a checklist that contains specific file paths and files:
Decryption of URL:
Here, we can see the decryption function for the encrypted URLs in the Angler EK. It uses “LGWZsrv1LGWZsrvIc3” as the default decryption key, which is shown in this figure. We can easily rewrite this JS code and decrypt the encrypted URLs.
Here, we rewrote this code and decrypted the URL:
Here, we got the host name and request page.
Dropper and Payload:
The Angler EK will do more browser and system checking. In this code, it will check whether it is an IR, and whether it is running on x32 or x64.
The dropper will be loaded into memory after the IE is compromised. Shellcode is partly encrypted. The default decryption key is “Du9J08gkbfzGvmFF” as shown in this figure.
After deobfuscation, we found that the Angler EK uses highly obfuscated JavaScript code to bypass IDS/IPS detection and make security researchers spend more time on it. Also, Angler EK has code to check the AV product and VM product. Furthermore, the payload will be encrypted and encoded during the sending stage. All of these features make detection more difficult.
CVE-2013-2551(Microsoft Internet Explorer COALineDashStyleArray Integer Overflow):
To the left is the actual vulnerability used in the Angler EK; to the right is the POC code of CVE-2013-2551. After analysis, we found that this Angler EK sample is using the CVE-2014-2551 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow.
Other vulnerabilities used in Angler EK are listed in the following table:
CVE-2015-2419
CVE-2014-0322
CVE-2014-1776
CVE-2014-4130
CVE-2013-2551
CVE-2013-7331
CVE-2015-5560
CVE-2015-5122
CVE-2015-5119
CVE-2015-3113
CVE-2015-3104
CVE-2015-3090
CVE-2015-2419
CVE-2015-0359
CVE-2015-0336
CVE-2015-0313
CVE-2015-0311
CVE-2015-0310
CVE-2014-8440
CVE-2014-8439
CVE-2014-0515
CVE-2014-0497
CVE-2013-5329
CVE-2015-1617
CVE-2013-0074
CVE-2013-3896
Summary
Angler EK is a very sophisticated attack and is still continually evolving. This exploit kit is almost impossible to detect by the majority of today’s security defenses. In this blog, we try to analyze Angler EK behavior and its exploit landing page, and to identify its encode and obfuscation methods. As we can see, Angler EK tries to use numerous method variations, such as obfuscation, AV product, sandbox check, payload encryption, and fileless injection to defeat traditional detection methods.
Ixia ATI is introducing the Angler Exploit Kit canned test, which emulates Angler EK communication behavior. In addition, the Nuclear Exploit Kit canned test is under development and will be released soon.
Additional Resources:
References:
[1] https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
[2] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
[3] http://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html