Search the Community
Showing results for tags 'angler'.
-
Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way. Today, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both. Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits. As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously. “At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.” Duncan told Threatpost that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom. “We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data. Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning. The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html. “Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.” Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples. Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today. “There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.” Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed. “The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.” Source
-
Attackers behind the Angler Exploit Kit have added a tweaked version of an exploit for a patched Internet Explorer use-after-free vulnerability. Microsoft patched the vulnerability (MS14-056) in last October’s round of Patch Tuesday updates but that hasn’t stopped attackers from adding the vulnerability to the exploit toolkit. Similar to exploits disclosed in October, the sample Angler is using has been modified to bypass IE’s mitigation technology MEMPROTECT. According to Dan Caselden, a ?staff research scientist at FireEye who blogged on Friday about the vulnerability being included in Angler , this one is a use after free with MSHTML!CTitleElement that MEMPROTECT was not originally supposed to mitigate. Caselden claims the attack angle is interesting on its own because it focuses on IE deployments that use MEMPROTECT – introduced in July 2014 – but added that the vulnerability also cements the idea that attackers remain interested in compromising IE, especially against users running nearly five-month-old versions of it. Still, the use after free is not a generic exploit – some of its techniques weren’t necessary, Caselden adds – and going forward attackers will still have to find their way around the MEMPROTECT technology. “Some of the employed techniques (particularly the modified garbage collection routine) were not necessary,” Caselden wrote, “So in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.” Chinese researchers with Keen team (a/k/a k33nteam) first talked about how (.PDF) to exploit a use after free vulnerability against MEMPROTECT at the Taiwanese security conference Hitcon X over the summer and went describe how it bypasses memory protection and isolated heap in Windows 8.1 shortly after the bug was patched by Microsoft, in a blog entry last October. Caselden gets much deeper into the exploit and points out the similarities from k33nteam’s proof of concept and the Angler sample on FireEye’s blog. For example, unlike the October exploit, this one can also optionally serve up a Flash zero day (CVE-2015-0313) – one of the three that plagued the Adobe software last month – that was also previously seen being used by Angler. Microsoft introduced MEMPROTECT, or MemoryProtection, in a July 2014 patch for IE and while the heap mitigation technology isn’t failsafe, it was thought to be effective against use after free vulnerabilities. For a short period it seemed as if the move would curb the number of IE exploits spotted in the wild, as attackers wouldn’t have to reuse dated IE use after free exploits. Naturally attackers were able to come up with ways around this. Attackers that have long had it out for Microsoft’s Internet Explorer and continue to take old, since-patched exploits and add them to their exploit kits just to see what sticks. In January attackers added a nasty, previously unknown Flash zero day that targeted IE on Windows 7 and 8 to the kit. An analysis of Angler last month called it the most sophisticated kit on the market, namely because it’s been the fastest to integrate newly released zero days and because its obfuscation is reportedly at the top of its game. Source