Understanding Angler Exploit Kit – Part 1: Exploit Kit Fundamentals

Generally speaking, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or a link in the message to the malware. However, malspam requires some sort of action by the user to be successful (for example, opening an attached file).

The other method for widespread malware distribution is an exploit kit (EK). EKs are designed to work behind the scenes while a potential victim is browsing the web. An EK does not require any additional action by the end user.

EKs are a sophisticated delivery method. Malware distribution through an EK involves other components in the chain of events that lead to a malware infection.This blog is the first of a two-part post intended to provide clearer understanding of Angler EK. Here we will focus on EK activity targeting computers running Microsoft Windows. Windows remains the prevalent operating system world-wide, and it offers the largest amount of potential victims for criminals using an EK.

Definitions

To fully comprehend EKs, you should understand the following terms in the context of EK traffic.

Vulnerability – An unintended flaw in software code that leaves it open to exploitation in the form of unauthorized access or other malicious behavior.

Exploit – A file or code that takes advantage of a vulnerability in an application or operating system.

Exploit kit (EK) – A server-based framework that uses exploits to take advantage of vulnerabilities in browser-related software applications to infect a client (a Windows desktop or laptop) without the user’s knowledge.

Malware – This is the payload delivered by the EK if the exploit is successful. An EK payload is malware designed to infect a Windows computer (an .exe or .dll file).

Those are the basic concepts. An EK uses an exploit that targets a vulnerability. If the exploit is successful, the user’s computer is infected with the malware payload. Two other important terms are:

Actor – An individual or criminal group behind a piece of malware. In the context of cyber security, the term “actor” is associated with a “theater” of war. Since good and bad actors exist in any conflict, you will see “bad actor” or “threat actor” used when referring to various criminal groups behind malware.

Campaign – A series of attacks using an EK and infrastructure to direct victims to that EK.

By itself, an EK will not deliver malware to a system. Somehow, a user must be directed to an EK server before it will deliver any malware. Actors use campaigns to guide victim traffic to an EK.

Actors are most often identified from characteristics of the malware they distribute. Campaigns are most often identified from characteristics of the network traffic before the victim reaches an EK. Actors and campaigns are two different terms. An actor might use one or more campaigns to distribute malware. And more than one actor might use the same campaign to deliver different types of malware.

For example, the actor behind CryptXXX uses multiple campaigns to distribute this ransomware. We have found at least two different campaigns, pseudo-Darkleech andAfraidgate, delivering CryptXXX ransomware.

An example of one campaign used by multiple actors is the EITest campaign. We have noted several different types of malware sent through EITest, indicating several different actors have been using this campaign.

EK as a Service

The authors of most EKs use Software as a Service (SaaS) as their business model. This model is also sometimes called Platform as a Service (PaaS), Malware as a Service (MaaS), or EK as a Service (EKaaS).

EKs are sold in the criminal underground, where the price for leading EKs is often a few thousand dollars per month.   The EK owner provides the buyer a management console to oversee the rented EK servers, but the buyer must provide an attack infrastructure. As noted earlier, a distinct attack infrastructure combined with the EK is considered a campaign.

Chain of Events Within an EK

In an attack using an EK, we typically see the following chain of events during a successful infection:

Figure 1: Chain of events within an EK.

The landing page is the first item sent by an EK. This HTML page is received behind-the-scenes, and it is not visible on the victim’s web browser. The landing page consists of code that gathers data about a victim’s Windows computer and finds a vulnerable application. Targeted applications often include Adobe Flash Player, Java Runtime Environment, Microsoft Silverlight, and web browsers (usually Internet Explorer) and others. If your computer is fully patched and up-to-date on all applications, most EKs will stop at the landing page. If your computer is not fully up-to-date, the EK will send an appropriate exploit for any vulnerable applications it finds.

An EK exploit is designed to take advantage of a vulnerable application (Flash Player, Internet Explorer, etc) in order to secretly run malware on a host. Searching through Mitre.org’sCommon Vulnerabilities and Exposures (CVE) database, you’ll find EK exploits based on vulnerabilities that allow an attacker to “execute arbitrary code” on the victim’s host. For Flash, Java, or Silverlight, the EK sends the exploit as a file, usually in some sort of archive format. For vulnerable web browsers, the exploit is sent as code within the HTML.

An EK’s payload is malware designed to infect a Windows computer (an .exe or .dll file). The payload may be a file downloader that retrieves other malware, or it could be the final malware. With more advanced EKs, the payload is sent as an encrypted binary over the network either using simple XOR encryption or an RC4 encryption key. The encrypted binary is then decrypted and executed on the victim’s host.

An EK Never Stands Alone

An EK typically operates under some sort of campaign. The majority of campaigns use a compromised website to direct network traffic to an EK. This provides a straight-forward chain of events. A flow chart for these type of campaigns is shown below.

Figure 2: Chain of events for a relatively straight-forward campaign.

Compromised websites have code injected into their web pages. In some campaigns, the code is relatively simple.

Figure 3: Injected code in page from a compromised website leading directly to an EK.

Injected code from the above image contains an iframe pointing directly to an Angler EK landing page. The EK landing page is highlighted in yellow. Notice how the iframe position has negative values, so it is not visible when the iframe is brought up in a web browser.

In other cases, the injected code is highly obfuscated. Below is a May 2016 example of injected script (more than 12,000 characters in length) from a compromised website in the pseudo-Darkleech campaign.

Figure 4: Start of injected code from the pseudo-Darkleech campaign in May 2016.

Many campaigns use an additional server between the compromised website and the EK server. These additional servers are called “gates” because they act as a gate to the EK. Sometimes, this means the gate will only allow Windows hosts to connect with an EK server. If you are using a Macbook or Linux host, the gate examines the user-agent string in the HTTP headers, and it will not forward you to the EK landing page.

Figure 5: Chain of events for a campaign that uses a gate.

Below is an example from March 2016 in the Afraidgate campaign. Figure 6 shows injected script in a page from the compromised website leading to a gate URL. Figure 7 shows the gate URL returning script with an iframe for a Nuclear EK landing page.

Figure 6: Injected script in page from a compromised pointing to a gate.

Figure 7: Gate traffic from the Afraidgate campaign in March 2016.

In some cases, a campaign may use more than one gate between the compromised website and the EK. These gates are sometimes legitimate services like Pastebin that are abused by the actors behind the campaign.

Figure 8: Campaign from November 2015 using more than one gate.

Malvertising

A contraction of words “malicious advertising,” malvertising refers to the use of online advertising to spread malware. Many campaigns have used malvertising as a link in the chain of events to distribute malware.

People have been hit with malvertisements directing to exploit kits after viewing popular websites like The New York Times or visiting Answers.com. Those websites were not compromised, but some of their ad traffic was. Malvertising allows bad actors to fly under the radar and reach a large number of potential victims. These actors use advance techniques to hide their malicious traffic redirections and more easily evade detection.

Conclusion

This blog post covered definitions necessary to understanding EK traffic. We discussed how EKs are rented by criminals as a service, available in the underground market. We also reviewed the chain of events within an EK and additional steps seen from an EK within a campaign. Malvertising is one of many types of campaigns seen with EK traffic.

How can people defend their systems against EK activity? Use a layered defense. First make sure your operating system and applications are patched and up-to-date. EKs take advantage of outdated browser-based applications to infect vulnerable Windows hosts.

Network detection is the second component of layered defense. Solutions like Palo Alto Networks Next-Generation Security Platform can help security teams detect constantly changing indicators of EK activity.

Finally, a layered defense should also include endpoint protection as a third component. Palo Alto Networks Traps can help protect an organization’s assets against malicious executables, data files or network-based exploits before any malicious activity can successfully run.

Part two of this blog post will cover one of the most advanced, effective, and popular EKs in the criminal market: Angler EK.

[Palo Alto Networks Research Center]

Watch: CEO Mark McLaughlin on the Benefits of a Proactive Security Platform

Palo Alto Networks Chairman, President and CEO Mark McLaughlin went on Mad Money this week to talk with Jim Cramer about the power of the Palo Alto Networks Next-Generation Security Platform, why cybersecurity continues to be a priority spend for organizations regardless of industry, and more. Watch the full interview, below.

[Palo Alto Networks Research Center]

Palo Alto Networks Researchers Uncover Critical Apple Product Vulnerabilities

Palo Alto Networks researchers were recently credited with discovery of two new Apple product vulnerabilities.

Researchers Tongbo Luo and Bo Qu discovered a webkit vulnerability (CVE-2016-1855) affecting Safari in OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 and OS X El Capitan v10.10.5.

Tongbo and Bo also identified an OpenGL vulnerability (CVE-2016-1847) affecting Apple TV (fourth generation and later), iPhone 4S (and later versions), iPod Touch (fifth generation and later), and iPad 2 (and later versions).

Apple addressed both findings in a recent security update. Palo Alto Networks has also released IPS signatures covering these vulnerabilities (for current customers, available in content release 585).

Palo Alto Networks is a regular contributor to vulnerability research in the Microsoft, Apple, Android and other ecosystems. By proactively identifying these vulnerabiliites, developing protections for our customers, and sharing the information with the security community, we are removing weapons used by attackers to threaten users and compromise enterprise, government and service provider networks.

[Palo Alto Networks Research Center]

Cybersecurity: More Threats, But Also More Opportunities

In a recent conversation with Linda Moss, VP of Global Enablement and Education at Palo Alto Networks, I was shocked to learn just how significant of a cybersecurity workforce shortage there is in this industry. Our conversation included both the volume of threats seen in the modern threat landscape and the growing number of opportunities this landscape is creating for students and IT professionals to either begin or transition into a lucrative career in cybersecurity.

With the cybersecurity industry expected to grow from $75 billion to $170 billion in the next five years, or so, the need for trained professionals is skyrocketing. In my opinion, Linda has one of the most exciting jobs in our company, but also one of the largest responsibilities, as her team develops a curriculum that will enable a next-generation cybersecurity workforce. Some experts predict that, by 2019, the demand for cybersecurity professionals will increase to approximately 6 million globally. What is even more surprising is that the shortage of trained professionals is projected to be 25 percent – or 1.5 million jobs unfilled.

I was happy to capture our conversation in a short video that I’d like to share with you. Here, Linda and I discuss several key areas of education, including the overall skills shortage, types of training available, the Palo Alto Networks Certified Network Security Engineer (PCNSE) certification, and the Accredited Configuration Engineer (ACE) accreditation. In addition, Linda has some great insight regarding the importance of working with colleges and universities to ensure future generations get the necessary skills to prevent successful cyberattacks through the Palo Alto Networks Academy program.

Because cybersecurity is firmly at the top of the international agenda, there’s never been a better time to consider a career in the industry!

For more information, please visit: http://www.paloaltonetworks.com/education 

For a list of Worldwide Authorized Training Centers (ATC Partners), please visit:https://www.paloaltonetworks.com/services/education/atc-locations

Please let me know if you have any comments or questions, or contact me via Twitter anytime at @CicconeScott.

[Palo Alto Networks Research Center]

Moving Across National Borders in Information Security

I am originally from the U.S. and relocated to New Zealand in 2014. Prior to coming to New Zealand, I worked as an IT auditor in Phoenix, Arizona, U.S. Long before engaging in IT related work, I obtained an undergraduate degree in Aerospace Engineering from University of Arizona and also an MBA from Thunderbird School of Global Management. The engineering degree taught me how to think about systems. The MBA prepared me for working in other countries.

You might wonder why I moved from aerospace engineering, IT audit and then to information security. I am a multipotentialite (http://puttylike.com), and have many different interests and pursuits in life. For some time, I had resisted pursuing information security as I thought it was primarily about hacking.Then I saw a chart (see below) that showed me the many facets of information security. Having so many facets interested me.

I was informed about the CISSP by colleagues in the U.S. At the time, I thought I was not ready for it. I found out about the Associate Program from the (ISC)² website. I decided to obtain the Associate designation because I wanted to be considered for an information security position. Then I moved to New Zealand.

Transition to New Zealand

Why New Zealand?  New Zealand is a beautiful country. Anyone who has seen “Lord of the Rings” or “The Hobbit” movies has seen the beauty of New Zealand. I was also intrigued by a country that posted a high SPI (Social Progress Index http://www.socialprogressimperative.org) score and a high Transparency score (Transparency International http://www.transparency.org/cpi2015 ).

Currently, I am the information security manager for Waikato District Health Board headquartered in Hamilton. This organization provides healthcare to more than 300,000 New Zealand citizens and residents. Anyone who has worked in a hospital system can understand the complexity of providing healthcare, managing information systems and balancing security and privacy. In my present role, I am charged to lead the development of the organization’s information security strategy, framework, culture and policy. In conjunction, I develop information policies, protocols, procedures and guidelines. Also, I perform risk assessments and review operational compliance. My favorite part is working to raise security awareness and provide advice and guidance.

When I applied for my current position, one of the requirements was that “the candidate holds an information security certification.” I had studied for and passed the CISSP exam in October 2013. At the same time, I was also able to apply work experience as an IT auditor and work experience as an information security manager. I was able to obtain the CISSP in September 2015.

Borderless Certifications

One thing I would like to share regarding the internationally recognized certifications like the CISSP is that such credentials cross borders. I really do not have to explain that I am an information security professional. This is important in a world where information security knowledge and skills are wanted. The certifications give me credibility when I speak about information security. This is important in gaining trust and the acceptance of others.

I was encouraged by Ryan Ko, Ph.D. at the University of Waikato (http://www.cms.waikato.ac.nz/people/ryan) to obtain the CCSP (Certified Cloud Security Professional). I had come into cloud technologies by accident and had worked on cloud-based implementations. The CCSP has given me the creditability to speak about issues of data security and cloud use. The CCSP is not well known and I am having to educate colleagues about it. By the way, the Maori’s (first people to come to New Zealand) name for New Zealand is “Aoteoroa” which means “Land of the Long White Cloud.”

Since moving to New Zealand, I have been able to write and speak more about information security.  I write a blog published within Waikato District Health Board. I have also written a chapter on cloud governance in “Cloud Security Ecosystem.” At Cloud Asia 2016 (http://www.cloudasia.asia ) in Singapore, I gave a presentation on “An Experiment in Virtual Healthcare.” This is an initiative of Waikato District Health Board to provide healthcare through a cloud-based system and mobile devices. I have also worked with Cloud Security Alliance (www.cloudsecurityalliance.org) which is a partner with (ISC)² on the CCSP.

You may be wondering how the work environment in New Zealand compares to what I experienced in the U.S. There does appear to be a better work-life balance. Also, there are more holidays and vacation days in New Zealand. This allows for more time to enjoy the beauty of this land.

Advice to Novice Security Practitioners

The (ISC)² Associate Program indicates to anyone that the holder of this designation is serious about information security. Take the exam (for whichever certification you want) as soon as you are ready to do so.  Even if you are a student, having the Associate designation makes you stand out from other students. Once you obtain the Associate, it really is only a matter of time before you become certified.


About the Author:

Name: Sai Honig

Job Title: Information Security Manager, Waikato District Health Board, New Zealand

Where are you from or currently based: Originally from the U.S.; currently based in Hamilton, New Zealand

(ISC)² certifications: CISSP, CCSP

Years of experience in the industry: 6

Topic(s) of interest in infosec: Cloud, Governance, Data

Career Goal: CISO

Social Media Contact: nz.linkedin.com/in/saihonig/

(ISC)² Management

[(ISC)² Blog]

English
Exit mobile version