2. 2CONFIDENTI
AL
PRESENTER
• Security Research Analyst on the
OpenDNS team
• Undergraduate studies from National
Technical University of Belarus in Computer
Science
• Currently earning an Associate in Science
degree from City College of San Francisco
in Computer Networking and Information
Security
• Network Security and Cyber Security
certified
• Freelance pentester and bounty hunter
4. 4CONFIDENTI
AL
ANGLER EK ORIGIN
• First appearance of unique ‘bodiless’ bot attacking news site visitors
• Reported by russian researcher Sergey Golovanov in March 2012
• Unknown exploit as a part of Cool EK
• One of the first captured by Kafeine in August 2013
• Used Fileless capabilities
• Angler in context of Blackhole takedown
• Kafeine chosen name for this Exploit Kit October 2013
• Mapped to ‘bodiless’ bot and XXX exploit kit
• XXX is real name for Angler
• 2010 is the real birth year of Angler
5. 5CONFIDENTI
AL
APT PARALLELS AND
SIGHS
Using advanced technics on all stages
of campaign
• Utilizing most recent vulnerabilities
(CVE)
• Implementing honeypot and antivirus
detection and avoidance
• Domain shadowing
• Encrypted payloads
ADVANCED
6. 6CONFIDENTI
AL
APT PARALLELS AND
SIGHS
• Angler EK is
• Talos thwarts access to ASNs,
accounted for almost 90% of overall
Angler traffic in October 2015
• IP scheme changed, threat still exist
and growing.
PERSISTENT
7. 7CONFIDENTI
AL
APT PARALLELS AND
SIGHS
• Delivering ransomware makes it easy
profitable
• Ransomware accompanied with other
malware (Bedep, Pony, etc.) makes it
even more profitable
• Used infrastructure and stolen
information can be traded or rented to
other malicious authors
THREAT
9. 9CONFIDENTI
AL
CYBER KILL CHAIN
• Reconnaissance
• Exploitation & Weaponization
• Delivery & Installation
• Command and Control
• Actions
Mostly used in terms of APT, so I have to modify it for my
case
Recoinnaissance
Exploitation &
Weaponization
Delivery & Installation
C&C Actions
10. 10CONFIDENTI
AL
RECONNAISSANCE
• Dedicated basic infrastructure - For C&C addresses, and for
DNS tunnels for guaranteed egress
• Compromised registrant emails – For domain shadowing
• Bulletproof hosting - For use as C&C servers, to receive connect-
back shells, to launch attacks. Recently active .top and .tk
• Abused Large Providers – To host landing pages
• Acquiring list of vulnerable sites - For use as pivots to hide the
IP addresses of the stable servers and exploits
• Register fake advertising companies – To deliver traffic
List or things needed for successful campaign
15. 15CONFIDENTI
AL
DELIVERY
Some of main points in delivery schema
• Pseudo Darkleech - not a server-level infection. The malicious PHP code is injected into the
menu.php/index.php file. It fetched the actual iframe code on the fly from a remote server.
• DNS Shadowing - iframe URL (used to be No-IP dynamic host names) has been replaced with third level
domain names of sites with hacked DNS accounts (a lot of GoDaddy) that live only for a few hours, for
example:
ludeincenvira[.]buydashcameras[.]com
republicanaaccenner[.]handymannservices[.]com
scissorcase-kursfest[.]flatfeexpress[.]com
uitgehougovorili9[.]goalrillabasketballgoals[.]info
• Forum-like URLs - iframe URLs now resemble URLs of forum sites. They include the following URL part
with random parameters:
/boards/index.php?PHPSESSID=...
/topic/viewtopic.php?PHPSESSID=...
/forums/search.php?PHPSESSID=...
/civis/search.php?85285-…
16. 16CONFIDENTI
AL
DELIVERY & INSTALLATION
Most recent model delivering user traffic to lander pages
IP reputation,
contain not
blocked
Victim visits well
known trusted site
goo.gl URLs, ad networks abused,
including top ones, fake advertiser
domains
SSL encrypt ad call URL
or
GIF hiding code with on-
the-fly encoding
Targeted genuine
residential IP redirects to
compromised site
Only specific IPs
will be redirected
Next redirect to
shadow copy or
compromised site
Domain shadowing technic,
TLD resides on different IP
Victim hits the lander
page(second payload)
Web filter failed, web
address is not blocked
Payload delivered
Initial payload
delivered and
executed
If system is
vulnerable
Anti virus failed,
binary is obfuscated
Negotiate
encryption
Web filter failed,
communication is not blocked
Encrypt data
Local backups
removed
Display ransom
notes
17. 17CONFIDENTI
AL
Installation
Fileless ransomware exploitation technic
Locate Exploitable
Process
Injects first payload into
it
Forces the DLL to load
in the context of that
process
When encryption is
finished free memory
The process is loaded into memory
but the primary thread is suspended
Process calls LoadLibrary
Loads malicious remote DLL
Persistence isn’t a goal
19. 19CONFIDENTI
AL
MONEY GATHERED DURING CAMPAIGN MOSTLY
IN BTC
ESTIMATED REVENUE AS OF CAMPAIGN OWNERS EXPENCES &
LOSSES
YEARLY AFTER TALOS THWART $
$17,126,058.00
• The process of legalizing BTC
income is difficult
• Main ways are carding, shopping,
underground exchange, money
mules
• Money spent on infrastructure,
maintenance, recon campaigns
• The end result is about 50+% loss
20. 20CONFIDENTI
AL
DETECTION &
PREVENTION
• SPRank, created by our researches,
detects compromised domains based on
DNS data
• Honeypot run by analyst provides another
source of compromised domains based
on HTTP data
• Pivoting around these domains let us
discover compromised registrants and
IPs
• Data available in Investigate helps to
identify reused infrastructure, malicious
authors, and patterns
STOPPING EXPLOIT CHAIN AT ANY STEP CAN
MITIGATE INFECTION
24. 24CONFIDENTI
AL
ABUSED and DEDICATED ASNs
• AS 59504 CYBERTECH-AS LLC CyberTech,RU
• AS 201094 GMHOST Mulgin Alexander Sergeevich,UA (dedicated)
• AS 15756 CARAVAN JSC Caravan Telecom,RU
• AS 48716 PS-AS PS Internet Company LLC,RU
• AS 43146 AGAVA3 Agava Ltd.,RU
• AS 16276 OVH OVH SAS,FR (highly abused)
• AS 15083 INFOLINK-MIA-US - Infolink Global Corporation,US
• AS 29182 ISPSYSTEM-AS JSC _ISPsystem_,LU
• AS 53264 CDC-LMB1 - Continuum Data Centers, LLC.,US
• AS 20860 IOMART-AS Iomart,GB
• AS 12586 ASGHOSTNET GHOSTnet GmbH, DE 86400 (.tk)
• AS 203973 GUARDOMICRO-AS GUARDOMICRO S.R.L, RO 86400
(.tk)
Most active ASNs in the last 90 days
26. 26CONFIDENTI
AL
PREVENTION
Ways to mitigate risks
• Keep back ups of the data all the time
• Use layered security system, software
and(or) hardware firewall is a must have
• Implement DNS control
• Patch management(most exploits)
• Maintain consistency of domain’s DNS
settings, so it contains only legitimate
records
• User education
28. 28CONFIDENTI
AL
Reasons Angler Keeps Winning
• The organizations responsible for these exploit kit campaigns are
generating millions of dollars in revenue. As a result they are
continually evolving to maximize the amount of users that are
impacted.
• Findings point to a larger organization that is using various
threats to infect users for monetary gain.
• With close to 40% of users hitting Angler infrastructure being
compromised it is a significant threat
• Security applications do not quickly recognize ransomware’s
maliciousness, because, ransomware itself “effectively acts as a
security application.
• The details are not always known, because unlike data breaches,
ransomware attacks do not need to be disclosed by law.
As a rule, the operation of such an exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive. However, in this case we were in for a surprise: no new files appeared on the hard drive.
After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. The address from which the library is to be downloaded is encrypted in the iframe that was included in the JS script downloaded from AdFox.ru
0034Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, 8651, 8446,7645, 5560,0313 Flash Player, 2419 - IE