News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Angler Exploit Kit – Operating at the Cutting Edge
Posted by AToro on 05 February 2015 02:30 PM

As we promised in one of our previous blog posts about exploit kits (Nuclear EK), we are going to take a more in-depth look at Angler Exploit Kit. Angler EK is possibly the most sophisticated exploit kit currently used by cyberciminals. It has pioneered solutions that other exploit kits started using later, such as antivirus detection and encrypted dropper files. In addition, Angler tends to be the quickest to integrate the latest zero days, such as the Adobe Flash zero day (CVE-2015-0311) from a few weeks ago, and it employs a notably unique obfuscation. Finally, Angler runs the dropped malware from memory, without ever having to write to the hard drive; this unique technique among exploit kits makes it extremely difficult for traditional antivirus technologies to detect it as they rely on scanning the file system.


While Angler is the most advanced exploit kit in today's threat landscape, Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages:


  • Stage 2 (Lure) - ACE has detection for the compromised websites.
  • Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page.
  • Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.
  • Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack




Angler's landing page consists of four basic parts. Firstly, there is some visible English text, which is used to make the victim of the exploit kit believe they have browsed to a legitimate page. Secondly, it has various deobfuscation routines to deobfuscate the actual malicious scripts. These scripts are located within p class tags and they are encoded as base64. Decoding the base64 strings reveals the actual obfuscated exploit kit code. And finally, the landing page contains several encrypted strings, which contain various URLs leading to the various exploits (Flash, Silverlight, Internet Explorer) included in the kit.


Samples from Angler landing page




Deobfuscated Exploit Code


Once the landing page is deobfuscated, the true nature of the code is revealed. Angler, just like Nuclear and various other exploit kits, uses a very basic second layer obfuscation to make detection by security products even more difficult. 


It also uses antivirus detection in addition to detecting various virtualization solutions (VMWare, VirtualBox, Parallels) as well as a web debugging proxy called Fiddler, which is widely used by security researchers. Implementing these measures makes it very difficult to observe and investigate this exploit kit in the wild, as most security researchers often rely heavily on these tools.


Detecting various .sys and .dll files which belong to AV and virtualization software


VMWare, VirtualBox, Parallels detection as well as Fiddler web debugging proxy



The most unique feature of Angler is the use of these encrypted URL paths. It uses a simple transposition-based cipher (in layman's terms: scrambling the letters) to encrypt and decrypt this data.


The decryption routine is embedded within the obfuscated part of the exploit kit.


Decryption routine as found in the kit


Decryption routine formatted and commented



We will use a very simple example to demonstrate how the decryption works. Suppose our cipher text (encrypted data) is "TEER CSURH TO PLTAOEL IX TP" and our decryption key is "OBFUSCATE". What Angler does is, it takes the alphabetical order of the letters in the key and rearranges the cipher text based on that. For example:


OBFUSCATE   6,2,5,9,7,3,1,8,4

This gives us the order of letters in the cipher text. Using this we can easily decrypt it by rearranging the letters.


Example decryption



And finally whitespaces are removed from the decrypted string . Obviously, this is an extremely rudimentary form of encryption and would be very easy to crack even without the key if (such as in the above example) the plaintext consisted of actual words. However, Angler uses highly randomised URLs so this kind of encryption is more than sufficient to hide the true nature of these strings and the actual URL paths from various security products.


The rest of the deobfuscated code follows usual exploit kit patterns: there are various plugin detection and version check routines so the exploit kit 'knows' which exploit(s) to fire on the target. There are also quite a few shellcode builder routines as Angler uses a multi staged shellcode, where various stages are encoded and get decoded by the previous stages. It also includes a hardcoded encryption/decryption key for the dropper file. 


Encryption key for payload


Multi stage Shellcode





If the exploit succeeds, Angler's payload is dropped on the victim's system. As the payload travels through the network it is still encrypted and gets decrypted later by the final stage shellcode. This technique is used to make detection of the malicious dropper very difficult for traditional intrusion detection systems (IDS). As we mentioned before, Angler uses 'fileless' droppers, which mean that they are run directly from memory. The dropper used by Angler is called Bedep, which is actually only a downloader - that is, it is not malicious per se, but it is used to download and execute various different malware.


The payload consists of a combination of shellcode and the Bedep DLL. If the first few bytes of the payload are "909090" (NOPs or No Operations in x86 assembly) the DLL will be loaded from the memory, otherwise it will be written to the disk just like a normal dropper file. The shellcode is responsible for running the DLL from memory.




The shellcode resolves APIs such as kernel32.dll and wininet.dll





Angler Exploit Kit is no doubt one of the most dangerous exploit kits out there in the wild today. It has various techniques in its arsenal to defeat traditional detection methods such as:


  • Unique Obfuscation
  • Detects antivirus/virtualization software
  • Encrypted payload
  • Fileless infections


In addition Angler is often the first to adopt the latest exploits, which include zero days from time to time. The constantly evolving nature of Angler also highlights the need for security solutions that provide protection across the entire kill chain instead of only focusing on just one stage of it.

Read more »

Flash 0-day being distributed by Angler Exploit Kit
Posted by ngriffin on 22 January 2015 10:11 AM

Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine, is known to affect the latest version of Flash Player and has been seen dropping a trojan downloader called Bedep.


Websense customers were already protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:

  • Stage 3 (Redirect) – ACE has detection for the redirect to the exploit kit landing page.
  • Stage 4 (Exploit Kit) – ACE has detection for the exploit kit landing pages, as well as the Flash Player exploit itself.
  • Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the Bedep trojan downloader.


[UPDATE] 23 January 2015

Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog.

In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here) on 26 January 2015.




The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating. At the present time, it is not possible to disclose further information regarding specific details of this threat.




Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits.  Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used.




At the present time, Adobe have yet to release a patch for Adobe Flash Player.  One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available.


Websense Security Labs will continue to investigate this issue as more information becomes available.

Read more »