The domains and URLs change frequently, and I saw several different URL patterns while using different Windows hosts to get a full infection chain." /> The malware payload is encrypteAngler Exploit Kit - Recent Traffic Patterns, (Thu, Apr 2nd)_HackDig : Dig high-quality web security articles for hackersHackDig" />

HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

Angler Exploit Kit - Recent Traffic Patterns, (Thu, Apr 2nd)

2015-04-02 11:30

Angler exploit kit (EK) has changed URL patterns (again) during the past month. I infected a Windows host so we can take a closer look. Lets see what Angler has been up to." />

The domains and URLs change frequently, and I saw several different URL patterns while using different Windows hosts to get a full infection chain." />

The malware payload is encrypted. As early as August 2014, Angler EK has been using a file-less infection method, so it wont write this payload to the disk [1].

However, artifacts are left behind after the infection. Why? The infected host needs to keep the malware persistent on the system after a reboot." />

The persistent malware is usually named after a legitimate system file, in this case: dhcpcsv.dll

You can find a copy of this malicious file at: https://malwr.com/analysis/ZjIxOTViNjM2N2YzNGQ1YWI1NzNlYjkzZjI0ZTEyMjQ/

What about traffic from the infected host?" />

Using Security Onion to monitor the infection traffic, youll find alerts typical for Angler EK followed by Bedep. Microsoft has an entry in the companys threat encyclopedia that describes Bedep, and it matches the patterns seen during today" />

I have a similar example of this Angler/Bedep traffic from 2015-04-01 available at: http://malware-traffic-analysis.net/2015/04/01/index.html

Keep monitoring your networks. Compromised websites are everywhere, and this type of traffic happens more often than you think!
---
Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
[2] http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Bedep#tab=2

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&73591=diyrots?lmth.yraid/ude.snas.csi

Read:3080 | Comments:0 | Tags: exploit

“Angler Exploit Kit - Recent Traffic Patterns, (Thu, Apr 2nd)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools