Over the accomplished few years accomplishment kits accept been broadly adopted by abyss adorable to affect users with malware. They are acclimated in a action accepted as a drive-by download, which invisibly directs a user’s browser to a awful website that hosts an accomplishment kit.
The accomplishment kit afresh gain to accomplishment aegis holes, accepted as vulnerabilities, in adjustment to affect the user with malware. The absolute action can action absolutely invisibly, acute no user action.
In this assay article we will booty a afterpiece attending at one of the added belled accomplishment kits acclimated to facilitate drive-by downloads – a kit accepted as Angler accomplishment kit (Angler hereafter).
The annual aggregate of Angler accompanying detections aback mid-2014 shows a access of action in backward 2014, followed by a slight lull, and afresh added action from March 2015 onwards:
Since the annihilation of the Blackhole accomplishment kit in October 2013, aback its declared operators were arrested, added accomplishment kits accept absolutely flourished and aggregate the marketplace, but Angler has amorphous to dominate. To actualization Angler’s prevalence adjoin added accomplishment kits, we analyzed a snapshot of action for three altered periods (September 2014, January 2015 and May 2015):
2 Cartage Control
2.1 HTTP POST redirection
The abstracts beatific in the anatomy acquiescence includes three ethics (encoded), apparently to abetment the abyss managing this redirection mechanism:
A few months afterwards we saw a agnate abode actuality used, but this time with a Flash component. The compromised web pages were adapted to accommodate HTML that loaded a awful Flash book from yet addition compromised site.
ActionScript aural the Flash book would afresh retrieve the assorted ambit and affair the HTTP POST request.
2.2 Area bearing algorithm
The downside of this blazon of alter is that already the algorithm is known, the aegis association can adumbrate the ambition hostname on any accurate date, and can blocklist it, finer shutting bottomward the attack.
2.3 HTTP redirects
The final archetype included in this area illustrates the use of web redirects appliance the HTTP acknowledgment blank 302, frequently acclimated on accepted sites to alter visitors elsewhere. This involves aboveboard agreeable injection, but with an added articulation in the alter chain. In backward April 2015, we noticed that users browsing the eHow web armpit were actuality redirected to Angler. Assay of the cartage arise the redirection accomplish illustrated in Amount 8.
Within canicule of celebratory this, we accustomed added letters of identical redirection (cdn3.optimizelys.com again) actuality acclimated from added sites – this time the final ambition actuality the Nuclear accomplishment kit.
3 Accomplishment Kit
3.1 Landing page
A arrangement of obfuscation techniques accept been acclimated in the Angler landing pages aback the aboriginal actualization of the kit. Aside from authoritative assay added awkward, these techniques accomplish it easier for the abyss to dynamically anatomy altered agreeable on anniversary request, in an advance to balk apprehension by aegis products. For the accomplished year or so, Angler has been encoding its capital calligraphy functionality as abstracts strings stored in the ancestor HTML. This agreeable is afresh retrieved and decoded aback the landing folio is loaded by the browser. This is a accepted and able-bodied accustomed anti-emulation abode acclimated by abundant awful threats.
Decoding the exoteric obfuscation band reveals the aing ambush acclimated by Angler – anti-sandbox checks. It uses the XMLDOM functionality in Internet Explorer to actuate advice about files present on the bounded system. It does this in adjustment to ascertain the attendance of assorted aegis accoutrement and virtualization products:
The added calligraphy agreeable will be specific to the accurate vulnerabilities targeted in any adaptation of the landing page. In all cases however, the added scripts will accommodate blank to:
The admeasurement and agreeable of this arrangement will alter according to the vulnerabilities targeted in that adaptation of the kit. Examples of the abstracts stored in the arrangement include:
This abstracts is retrieved and decoded as necessary. Here, you can see the accordant burden cord actuality congenital into the dynamically generated shellcode:
The blank to amount the awful Flash basic is straightforward. Assuming the anti-sandbox checks are passed, three artlessly alleged (get*) functions are acclimated to retrieve and break strings from the landing page. These are afresh acclimated to anatomy the HTML commodity element, which is added to the document:
3.2 Flash content
Angler’s Flash agreeable has assorted appreciably over the accomplished year. The samples are commonly bleared appliance assorted techniques, including:
An added aggravation is Angler appliance anchored Flash objects. The antecedent Flash loaded from the landing folio is adequately innocuous, confined alone as a loader to bear the accomplishment via an close Flash. The close Flash may be agitated as a binaryData commodity or encoded as a cord aural the ActionScript. In either case, the abstracts will be encrypted appliance RC4. An archetype from January 2015 looks like this:
Data is anesthetized from the landing folio to Flash via the use of a FlashVars constant in the landing folio HTML – a accepted abode in contempo accomplishment kits.
This is calmly attainable from ActionScript via the ambit acreage of the loaderInfo object. This apparatus has been able-bodied acclimated in abounding accomplishment kits in adjustment to:
This adaptability enables activating customization of shellcode afterwards accepting to recompile the Flash itself.
Figure 15 shows snippets of the ActionScript acclimated in contempo Angler Flash altar to retrieve the encoded abstracts from the landing folio (“exec” variable). Additionally, you can see the use of ascendancy breeze obfuscation in some of the functions involved, complicating analysis:
In aboriginal 2015, there was a assumption of zero-day vulnerabilities (including CVE-2015-0310, CVE-2015-0311, CVE-2015-0313, CVE-2015-0315, CVE-2015-0336, CVE-2015-0359) in Adobe Flash Player, which were bound targeted by Angler. The targeting of these vulnerabilities by Angler (and added accomplishment kits) has been able-bodied declared elsewhere.
This flurry of Flash action supports the trend abroad from Java corruption over the accomplished 18 months, a change that was kickstarted aback Oracle blocked the use of bearding browser applets by absence in Java 7 amend 51.
3.3 Shellcode analysis
As acclaimed above, the shellcode is dynamically generated aural the calligraphy aback the landing folio is loaded by the browser. The exact capacity of the shellcode will alter according to the vulnerability actuality targeted, but in all cases the encoding and anatomy is similar. The assay beneath describes the shellcode that is acclimated in abject CVE-2014-6332.
Sure enough, assay of the added Unicode abstracts provided from the VBScript (buildshell1 in Amount 16) confirms it is executable code, and absolutely contains a baby decryption bend to break the bytes independent in of the shellcode, which includes the burden URL and decryption key. This decryption bend reverses the encData() action referenced in Amount 12, area the burden URL and burden key were encrypted.
After this bend completes, the capital shellcode anatomy is decoded and can be analyzed.
After absolute the abject abode for kernel32, the shellcode parses the consign abode table to acquisition the functions it requires (identified by hash). It afresh uses LoadLibraryA API to amount winhttp.dll, and parses those exports to acquisition the functions it needs:
If the accomplishment works, afresh the burden is downloaded and decrypted by the shellcode, appliance the aloft key. Angler uses altered keys according to the corruption aisle (Internet Explorer, Flash, Silverlight – at atomic two keys for anniversary are currently known).
After decrypting the payload, the shellcode checks the advance to analyze if the burden is yet added shellcode (which starts with do-nothing NOP instructions at the start) or a Windows affairs (which starts with the anecdotic argument cord “MZ” at the start):
If the decrypted burden is a program, it will be adored and run. If it is a added date of shellcode, the final executable burden is anchored aural the anatomy of the shellcode (sometimes in both 32-bit and 64-bit versions).
When the second-stage shellcode runs, the burden is amid anon into anamnesis in the action of the exploited application, afterwards aboriginal actuality accounting to disk. This “no-file” appropriate is amenable for some of the ballyhoo that Angler has afresh gained. This apparatus has been acclimated to affect users with malware from the Bedep family, which itself provides the adeptness for an antagonist to download yet added malwares.
4 Arrangement Perspective
In this section, we will about-face focus from agreeable assay to a attending at Angler action from a arrangement perspective.
4.1 Beginning registrations
As with best web attacks, Angler makes advanced use of beginning area registrations.
As is archetypal for drive-by downloads, we usually see a flurry of registrations that dness to the aloft IP cardinal for a abbreviate period.
Occasionally, Angler has acclimated chargeless activating DNS services, a tactic broadly acclimated by accomplishment kits for years.
4.2 Domain shadowing
Angler has fabricated advancing use of afraid DNS annal as well, a abode acclimated by attackers for several years that is acceptable accepted already again. The abyss amend the DNS annal of accepted domains, abacus assorted sub-domains that absolute to the awful accomplishment kit – a abode sometimes alleged area shadowing.
An archetype is apparent in Amount 20, based on some action apparent in May 2015. In these attacks, a 2-level abode is used, area the DNS annal accept been adapted to accommodate wildcard entries (*.foo.example.com, *.bar.example.com). So in this attack, the annal were updates with entries including:
This enables the attackers to dness their adumbral domains to the awful IP, a computer hosted in Russia at the time of writing. As you can see, the specific sub-sub-domains acclimated in the Angler redirects arise to be six-character strings, apparently called to let the attackers clue and aspect admission cartage (most acceptable for statistics and payment).
In added cases, we accept apparent Angler appliance single-level DNS hacks:
In some cases the cord acclimated in the sub-domain appears to accept some appliance to the area name actuality shadowed. This suggests animal involvement, rather than accidental argument generated by a program.
Domain shadowing relies on the abyss actuality able to adapt accepted DNS records, which is best acceptable due to baseborn credentials. Armpit owners do not necessarily accept the analytical attributes of their DNS records, so it is apropos that abounding of the providers/registrars do not bouncer the DNS agreement added closely.
Most armpit owners will rarely charge to amend the records, so any updates should alluringly be adequate by added than user credentials. Suggestions to advance this bearings include:
Thanks to accord with advisers at Nominet, we accept been able to attending added carefully into the area shadowing action acclimated in Angler attacks. The ambition was to acknowledge the timeline of contest aloft a DNS almanac actuality hacked. We focused on the DNS concern action for a cardinal of domains associated with a distinct compromised user annual area attackers were appliance two-level area shadowing (as in Amount 20).
Figure 22 illustrates a snapshot of DNS concern action for 26 February 2015. Abstracts for three domains (all aural the aloft compromised user account) is included. Green circles actualization the all-embracing concern volume; amethyst squares highlight above-average concern volumes; and the white circles denote periods of sharply-increased concern volume, aback the attackers started actively appliance these domains for Angler traffic.
This abstracts reveals two stages in the attack. First, the abyss activated the afraid DNS annal with a bashful cardinal of queries at 10am. These queries were for the single-level sub-domain, (foo.domain.co.uk), and were all from the aloft source.
Once the abyss are blessed their newly-stolen area names are absolute reliably, we see bursts of awful Angler cartage appliance the two-level sub-domain. In amount 22 you can anticipate the attackers cycling through the altered domains, with anniversary one actuality alive alone for a abbreviate period. This correlates accurately with our apprehension telemetry, area we see agnate bursts of action per hostname.
This advice gives us a bigger consequence of the basement and administration acclimated to ascendancy user web cartage for the purpose of redirecting it to awful sites.
4.3 URL structure
The URL anatomy acclimated for the assorted apparatus of a drive-by advance can generally be advantageous in anecdotic awful action in amidst user web traffic. Historically, assertive accomplishment kits accept acclimated anticipated URL anatomy for altered components, authoritative it easier for aegis providers to ascertain and block content. Some examples from the Nuclear and Blackhole accomplishment kits include:
Similar weakness were present in aboriginal versions of Angler as well, but the kit has acquired decidedly aback then, demography accomplish to aish any Achilles heel that ability accept been accessible to atom in the URLs acclimated for its assorted components.
The final area of this article aims to accommodate an overview of the absolute malware actuality installed through Angler. To investigate this, we analyzed payloads for a 4-week aeon during April 2015.
As you can see, all the payloads calm during this aeon were delivered by exploits adjoin Internet Explorer (59%) or Flash (41%):
This matches our abstracts for contempo Angler landing pages, area we accept not apparent exploits adjoin Silverlight or Java. However, these after-effects are bent as abundant by the victims’ computer configurations as by Angler itself, because Angler avoids aggravating exploits adjoin apparatus that are not installed.
The malware families installed in these drive-by downloads were as follows:
Clearly there is a ransomware focus actuality – the names tagged with asterisks are ransomware families, and annual for added than 50% of the malware attacks. The best accepted ransomware was Teslacrypt.
In this research article we accept taken a top-to-bottom attending at the Angler accomplishment kit, highlighting some of the methods acclimated to access up cartage to Angler-infected web pages.
Understanding this behavior end-to-end is basic aback accouterment protection. Angler attempts to balk apprehension at every level. To balk acceptability clarification it switches hostnames and IP numbers rapidly, as able-bodied as appliance area shadowing to piggyback on accepted domains. To balk agreeable detection, the apparatus complex in Angler are dynamically generated for anniversary abeyant victim, appliance a arrangement of encoding and encryption techniques. Finally, Angler uses obfuscation and anti-sandbox tricks to annul the accumulating and assay of samples.
As illustrated above, Angler has risen aloft its competitors in contempo months. This could be bottomward to abounding factors: college cartage to Angler-infected pages; exploits with a bigger hit-rate in carrying malware; slicker business amidst the bent fraternity; added adorable appraisement – in added words, acceptable allotment for the abyss who are affairs “pay-per-install” malware casework from the aggregation abaft Angler.
One affair is clear: Angler has a austere appulse on anyone browsing the web today.
We acclaim the assignment done by anybody in the aegis association to clue accomplishment kit activity. In advancing this article, however, we would like to accord alone hat-tips to @kafeine and @EKwatcher.
Thanks additionally to Richard Cohen and Andrew O’Donnell of SophosLabs for their assignment on the shellcode components.
Thanks to Ben Taylor, Sion Lloyd and Roy Arends of Nominet for their insights into DNS area shadowing.