• Posted by Sergei Frankoff 12 May
  • 0 Comments

Briefing – Angler Exploit Kit

Here at Sentrant we analyze a lot of ad-fraud malware. We actually analyze so much malware that we have  automated part of the process. A byproduct of this automation is that we end up with a lot of analysis data on malware what we aren’t really interested in, things like droppers, and exploit kits. We have decided to start pushing out some of this data as a way to give back to our community.

In this case we are going to shine a light on the Angler Exploit kit. This is arguably one of the most advanced exploit kits (EK) currently on the market and they have now started dropping 0-day. We should all be paying attention to this.

A note on the format of this post; our analysis engine only starts recording at the shellcode stage of the exploit so we have had to re-create some of the earlier analysis by hand.

 

References and Previous Work

Thankfully Angler has not gone unnoticed, many researchers have published excellent analysis of this EK, some of which will overlap with what we post here. Before diving in we suggest you read up on the following.

Description of the EK detection evasion using ‘cushion attack’:

Good overview of the javascript encryption and the payload loading:

Analysis of the in-memory payload loading:

Analysis of Flash zero day:

Analysis of VM detection:

Analysis of server-side files captured in takedown:

Special thanks to Brad over at malware-traffic-analysis.net for providing the sample that we will use as an example for this post:

 

Landing Page Analysis

The Angler EK landing page uses html tags to embed code as text data into the document. Each section of data has it’s own “id” tag.

Angler EK landing page tag with hidden data.

Angler EK landing page tag with hidden data.

Angler then uses some javascript to de-obfuscate this text data and write it to the DOM. The script they use to do this is also heavily obfuscated.

Angler EK landing page de-obfuscation script.

Angler EK landing page de-obfuscation script.

There is not much point writing tools to automatically de-obfuscate this as it can quickly be changed by the developers. Instead, a few strategically placed breakpoints are all that is needed to get it to spit out the de-obfuscated scripts.

 

AV and VM Detection

Once the scripts have been de-obfuscated we can see that Angler abuses the res protocol to enumerate software on the target by attempting to load the software files as resources.

Angler EK local resource detection.

Angler EK local resource detection.

The resources that are enumerated follow.
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll 
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll 
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll
C:\\Program Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\mfc42.dll
C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll
C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll
C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll
C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll
C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll
C:\\Program Files\\Fiddler2\\Fiddler.exe 
C:\\Program Files (x86)\\Fiddler2\\Fiddler.exe 
C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe
C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe
C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe
C:\\Program Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe
C:\\Program Files\\Norton Internet Security\\Engine\\21.1.0.18\\asOEHook.dll
C:\\Program Files\\Norton Internet Security\\Engine\\21.6.0.32\\asOEHook.dll
C:\\Program Files\\Norton Internet Security\\Engine\\21.7.0.11\\asOEHook.dll
C:\\Program Files\\Norton Internet Security\\Engine\\22.0.0.110\\uiMain.dll
C:\\Program Files\\Norton Internet Security\\Engine\\22.1.0.9\\uiMain.dll
C:\\Program Files\\Norton Internet Security\\Engine\2\2.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\21.1.0.18\\asOEHook.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\21.6.0.32\\asOEHook.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\21.7.0.11\\asOEHook.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\22.0.0.110\\uiMain.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\22.1.0.9\\uiMain.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Security\\Engine\\22.1.0.9\\uiMain.dll
C:\\Program Files\\Norton Security\\Engine\\21.1.0.18\\msouplug.dll
C:\\Program Files\\Norton Security\\Engine\\21.6.0.32\\msouplug.dll
C:\\Program Files\\Norton Security\\Engine\\21.7.0.11\\msouplug.dll
C:\\Program Files\\Norton Security\\Engine\\22.0.0.110\\msouplug.dll
C:\\Program Files\\Norton Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files\\Norton Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files\\Norton Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\21.1.0.18\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\21.6.0.32\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\21.7.0.11\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\22.0.0.110\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Internet Security\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\21.1.0.18\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\21.6.0.32\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\21.7.0.11\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\22.0.0.110\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files (x86)\\Norton Security with Backup\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\21.1.0.18\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\21.6.0.32\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\21.7.0.11\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\22.0.0.110\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\22.1.0.9\\msouplug.dll
C:\\Program Files\\Norton Security with Backup\\Engine\\22.1.0.9\\msouplug.dll
C:\\Windows\\System32\\drivers\\kl1.sys
C:\\Windows\\System32\\drivers\\tmactmon.sys
C:\\Windows\\System32\\drivers\\tmcomm.sys
C:\\Windows\\System32\\drivers\\tmevtmgr.sys
C:\\Windows\\System32\\drivers\\TMEBC32.sys
C:\\Windows\\System32\\drivers\\tmeext.sys
C:\\Windows\\System32\\drivers\\tmnciesc.sys
C:\\Windows\\System32\\drivers\\tmtdi.sys
C:\\Windows\\System32\\drivers\\vm3dmp.sys
C:\\Windows\\System32\\drivers\\vmusbmouse.sys
C:\\Windows\\System32\\drivers\\vmmouse.sys
C:\\Windows\\System32\\drivers\\vmhgfs.sys
C:\\Windows\\System32\\drivers\\=virtual box=
C:\\Windows\\System32\\drivers\\VBoxGuest.sys
C:\\Windows\\System32\\drivers\\VBoxMouse.sys
C:\\Windows\\System32\\drivers\\VBoxSF.sys
C:\\Windows\\System32\\drivers\\VBoxVideo.sys
C:\\Windows\\System32\\drivers\\prl_boot.sys
C:\\Windows\\System32\\drivers\\prl_fs.sys
C:\\Windows\\System32\\drivers\\prl_kmdd.sys
C:\\Windows\\System32\\drivers\\prl_memdev.sys
C:\\Windows\\System32\\drivers\\prl_mouf.sys
C:\\Windows\\System32\\drivers\\prl_pv32.sys
C:\\Windows\\System32\\drivers\\prl_sound.sys
C:\\Windows\\System32\\drivers\\prl_strg.sys
C:\\Windows\\System32\\drivers\\prl_tg.sys
C:\\Windows\\System32\\drivers\\prl_time.sys
Using this resource enumeration Angler EK detects the following anti-virus, analysis tools, and virtual environments.

  • Kaspersky
  • Norton
  • Trend Micro
  • Fiddler2
  • Parallels
  • VMware
  • VirtualBox
It is interesting to note that the virtual environments and the analysis tools that are detected seem to be targeted at research environments used by individuals as opposed to enterprise security tools. This may be an indication that the main concern of the EK developers is independent researchers such as @kafeine. Indeed the EK authors even include a “shout-out” to the malware.dontneedcoffee.com blog in their EK.

Angler EK shout-out to Kafine.

Angler EK shout-out to Kafeine.

 

Shellcode Identification

The EK developers place their shell code outside of the exploits in the javascript, we assume this is so that that it can easily be changed.

Angler EK shellcode.

Angler EK shellcode.

In this example the shellcode is only lightly obfuscated. It is stored as unicode with the “%u” designation removed. Each unicode character is actually just a singe byte of shellcode split high/low over the unicode two-byte space and slightly modified. The following algorithm can be used to transform the unicode back into shellcode (unescape the unicode into binary before feeding it to the transform).

#a1 = unescaped unicode shellcode
for i in range(0,len(a1),2):
     q = (0xf & (ord(a1[i+1]) -1))<>4
     print chr(p | q)

 

Shellcode Analysis

The shellcode is used to download an encrypted payload, decrypt the payload, and run it. This all occurs in memory so no files touch the disk. As we can see in the example below the decryption key “Du9JOBgkbfzGvmFF” and the download URL used in the shell code are actually added to the shell code in the javascript. Again we assume this is so that the EK developers/operators can quickly change these without modifying the kit.

Angler EK payload decryption key and download URL.

Angler EK payload decryption key and download URL.

The shellcode itself is fairly elegant; we see the usual dynamic API loading then a thread is created with the code used to download and decrypt the payload.

Angler EK shellcode API setup.

Angler EK shellcode API setup.

The encryption is actually just an implementation of the “tiny encryption algorithm” or “TEA” for short.

Angler EK TEA block decryption.

Angler EK TEA block decryption.

You can download our payload decryptor from github. We have supplied the current key in the decryptor but as this will no doubt change you also have the option to supply your own key. As we showed above, extracting the key from the EK javascript is as simple as setting some breakpoints and finding the de-obfuscated code where the key is added to the shellcode. Or, if you have an automated system, you can just dump the shell code and “strings” it for the encryption key.

Angler EK shellcode with plaintext encryption key.

Angler EK shellcode with plaintext encryption key.

As noted in some of the prior research we referenced above, the payload can take two forms; either it will consist of more shellcode and some DLLs or just a DLL. Once the payload is decrypted the first few bytes are checked by the shell code. If the bytes are “0x90 0x90” they signify that the payload begins with shell code otherwise the bytes will signify the standard PE file header “MZ”.

Angler EK shellcode payload download and decrypt.

Angler EK shellcode payload download and decrypt check payload bytes.

 

Final Thoughts

Here at Sentrant we believe in a holistic approach to fighting cybercrime. While our specific approach focuses on cutting off the revenue streams to ad-fraud botnets we need endpoint security vendors and incident responders to raise the cost of delivering these ad-fraud bots to their victims. We hope that these briefings can be used to update endpoint and network security tools and reduce the criminal’s ROI for their delivery platform.

If you have any questions about ad-fraud or ad-fraud malware feel free to contact us.