Embed Size (px)
Citation preview
Rise and Fall of Angler Exploit
KitNICK BILOGORSKIY
@belogor
Your speakers today
Nick Bilogorskiy@belogor
Sr. Director of Threat Operations
Marci KusanovichMarketing Communications Manager
Agenda
o What is an Exploit Kito Map Exploit Kits to payloads o Case Studies: Nuclear, Rigo Angler storyo Wrap-up and Q&A
Cyph
ort L
abs T
-shi
rt
Housekeeping
• You are on mute• Enter questions• Can order t-shirt
Threat Monitoring & Research team
________24X7 monitoring for
malware events
________Assist customers with
their Forensics and Incident Response
We enhance malware detection accuracy
________False positives/negatives
________Deep-dive research
We work with the security ecosystem
________Contribute to and learn
from malware KB
________Best of 3rd Party threat
data
cyphort.com/blog
What is an Exploit Kit
Exploit Kit is an easy-to-use toolkit for infecting computers over the web. It contains many exploits targeting apps like Adobe Reader, Java or Flash Player.
Exploit Kit can be fitted with any malware payload.
Exploit Kit Business Model
o Exploits-as-a-service platform o All browsers vulnerableo Plug in your own malwareo Can defeat IDS and Antivirus o Obfuscation constantly changingo Try to drive up conversion rate to
increase prices
o Exploit Kits infect you without a “click”o Angler, Sweet Orange, Nuclear, RIG
Fox-it.com
Exploit Kits Workflow
McAfee Labs
How do Users get to Exploit Kits?
Osterman research
Exploit KitsMalvertising
Malvertising
Malvertising Distributes Exploit Kits
df
UserVisits a popular
website, gets infected via exploit kit
WebsiteServes a banner Ad, sometimes malicious
AttackerCreates and injects malware ads into Advertising Network
Advertising NetworkSelects an ad based on auction, sends to the website
Redirection
1. www.articlefield.com
2. w1ns.com
3. thfire.com
5. adsppperv.com
6. www.blog-hits.com
7. tracking1112.com
8. townsearchguides.com
9. tracki112.com
10. c.feed-xml.com
11. 109.206.188.72
12. 216.172.54.28
13. scriptforclick.com
15. spreadsheets.wiaawy.eu
14. dealsadvlist.com
4. www.thfire.com
Infected: Payload:
ArchieAnglerAstrumBlackholeBleeding lifeCkVipCoolCrime BossCritXDotkachefFiesta/Neosploit
List of Exploit KitsFlashpackFlimkitGlazunovGongDaGrandsoftHanjuanHiManInfinityKaiXinLightsOutMagnitude
NeutrinoNuclearNullHoleRawinRedkitRIGSakuraSednitStyxSweet OrangeWhite Lotus
2013*
2014*
2015*2016*
2016*
2013*
Nuclear Russia Locky, Cryptowall
Magnitude Russia Cerber, CryptXXX
RIG Russia CryptoWall, TeslaCrypt
Neutrino Russia CryptXXX, Necurs, Vawtrak
Angler Russia CryptXXX, Locky, Teslacrypt
Exploit Kit to Payload Mapping
Nuclear
Nuclear Exploit Kit
o 10% conversion rateo 2 million victimso Installed Locky,
Teslacrypt other ransomware
o Disappeared in May ‘16
df
1. Compromised site 2. Landing Page
o Multi-stage Javascript obfuscationo Exploit Containers
o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability) o Flash exploit is not embedded in the landing page, it is downloaded and
executed in a modular fashion: CVE-2016-1910, CVE-2015-7645, CVE-2015-5122
3. Payload: ( Locky, CryptoWall )
Nuclear Flow
Nuclear Exploit Kit
Nuclear Exploit Kit
RIG
df
1. Compromised site 2. Landing Page
o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability) o Flash exploit CVE-2015-5122 (Hacking Team exploit)
first stage flash exploit is very obfuscated to evade static AV engine detection and confuse malware analyst. This first stage runs and loads second stage flash exploit in memory and exploit the browser’s flash plugin and infect the machine.
o Decrypt the Payload: Shellcode is XOR encrypted with key: 19.
3. Payload: ( Cerber , Tofsee )
Rig Flow
Angler
Angler Exploit Kit
o Discovered in 2013, quickly rose to dominate all exploit kitso 40% conversion rate (!)o Installed Locky, Teslacrypt, Kovtero $34 million annuallyo Went dead in June ’16
Sophos
Malware-Traffic-Analysis Angler stats
Overall Angler Stats
Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-160
2
4
6
8
10
12
14
16
18
Angler Stats
df
1. Compromised site 2. 3 Gates (Afraid Gate | EI Test |Pseudo Darkleech)3. Landing Page
o Browser Checko AV and VM detectiono Exploit Containers
o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability) o Flash Exploit (CVE-2015-3090, CVE-2015-5122, CVE-2015-5119)
4. Payload: (Teslacrypt | Locky | CryptXXX)
Angler Flow
Angler Landing Page
Angler Payloads
TeslaCrypt
Timeline
o Apr 12, 2016 - Blackhole's author Paunch Sentenced to 7 Years in Russian Penal Colony
o June 1, 2016 – Kaspersky helps FSB arrest 50 hackers in Russia - Lurk gang, which stole 3 Billion rubles from Russian banks. Lurk was distributed by Angler!
o June 7, 2016 – Angler last seen in the wild
Paunch
June 2016 Arrests in Russia
The Fall of Angler in June
F-Secure Labs
Fall of Angler in June
TrendMicro
Cyphort Labs data: Domains which were serving Angler now serving Neutrino:
o Jkanime.neto Visajourney.como Novini.bg
Angler‘s Keys to Success
Versatility.
Evasion.
Update speed.
Tips to Defend from Exploit Kits
o Strong antispam and antiphishing procedures.o Automatic Windows updates, keep operating
systems patchedo Upgrade to latest version of Windowso Install patches from other software
manufacturers as soon as they are distributed. o A fully patched computer behind a firewall is the
best defense against Exploit Kits
Tips to Defend from Exploit Kits
o Never open unsolicited emails, or unexpected attachments—even from known people.
o Beware of spam-based phishing schemes. Don’t click on links in emails or instant messages.
o Use a browser plug-in to block the execution of scripts and iframes
Summary1. Exploit Kits are the most effective way today to infect user’s
computers automatically at large scale.
2. Angler dominated all exploit kits throughout 2015 and 2016 until suddenly disappearing in June.
3. Arrests in Russia may have contributed to the recent decline in Angler and other russian Exploit Kits.
4. Use defense-in-depth powered by machine learning to defend from Exploit Kit attacks.
Q&A
Thank You!Twitter: @belogor
Previous MMW slides oncyphort.com/labs/malwares-wanted/
