Earlier this month, Cisco's Talos team published an in-depth report on the Angler exploit kit (EK) . The report also documented Cisco's coordination with hosting providers to shut down malicious servers associated with this EK. The result? I've found far less Angler EK in the last two weeks or so.
Angler is still active, even if we're not finding as much as before, and other EKs remain a concern. CryptoWall 3.0 remains a popular payload. I've noticed CryptoWall 3.0 from Angler, Nuclear, and Rig EK in the past few days.
Let's look at some recent examples of EK traffic.
The URL structure for Nuclear EK has changed since my previous ISC diary about it last month . The landing page URL (the initial HTTP GET request) has recently changed patterns. Previously, we'd seen the HTTP GET request start with /url?sa= , but now it's back to /search? followed by random characters. The images below show HTTP GET requests for Nuclear EK on Wednesday 2015-10-14.
In recent weeks, I've noticed at least two types of infection chains for Nuclear EK. The first type uses a gate with 052F in the URL. So far, I've seen ransomware payloads delivered by "052F" Nuclear EK. Last month I saw TelsaCrypt 2.0 , and this month I've seen CryptoWall 3.0.
The other type of infection chain for Nuclear EK chain has no gate, and it's been delivering two malware payloads. This "dual payload" Nuclear is similar to what we saw in last month's diary on this EK .
I'm calling these two types of infection chains:
Traffic characteristics indicate these are different actors. Other actors are also associated with Nuclear EK, like the Windigo group , BizCN gate actor , and (I assume) many more. This diary only covers the 052F and dual payload actors.
052F gate Nuclear EK sends CryptoWall 3.0
HTTP traffic after the 052F gate showed Nuclear EK followed by CryptoWall 3.0 callback activity.
This CryptoWall 3.0 sample's bitcoin address for the ransom payment was 12V5XLJ8zfespa2ABZJKUX8oQbVpwT5Uwb
Dual payload Nuclear EK sends its dual payloads
I've noticed this recent dual payload Nuclear EK actor since mid-September 2015 [2, 6, 7]. Code is injected near the end of the page, right before the closing body and HTML tags. There are several dozen blank lines before the malicious iframe leading to a Nuclear EK landing page. I recently saw this type of traffic again on Wednesday, 2015-10-14.
After the Nuclear EK traffic, HTTP requests show a GET /harsh02.exe for follow-up malware, and we also see subsequent alerts on possible Kelihos malware.
Rig EK sends CryptoWall 3.0
On Tuesday 2015-10-13, I infected a Windows host through Rig EK and saw CryptoWall 3.0 as the payload. Pages compromised by this actor have injected script with an unobfuscated iframe leading to Rig EK.
After Rig EK, we find indicators of CryptoWall 3.0 in the post-infection traffic.
This CryptoWall 3.0 sample's bitcoin address for the ransom payment was 1BkEAqygc5Mg2ree7ks34xPMA9kUjB2Qx3
Angler EK still out there, still sending ransomware
On Tuesday 2015-10-13, I generated an Angler EK infection and saw CryptoWall 3.0 as the payload . Injected script from the compromised website is highly-obfuscated, but it's quite distinctive.
After Angler EK, we saw indications of a CryptoWall 3.0 infection.
The bitcoin address for this CryptoWall 3.0 sample's ransom payment was 1yA3czfyuUeYHwgNZnvBSatU8Z7GJffj2
The exploit kit landscape can quickly change, and what's current this week may not be the next. My field of view is limited, and this EK round-up is not comprehensive. I've also seen Neutrino EK recently , which is not documented in this diary. Furthermore, other EKs are still active, even though I haven't been covering them. Hopefully this diary reflects some of the more common EK traffic during the past week or so.
Below is a link for a zip archive containing all of the pcaps:
Below is a link for all zip archive containing all the malware and artifacts:
The zip archives are password-protected with the standard password. If you don't know it, email firstname.lastname@example.org and ask.
Oct 31st 2016
3 years ago