+ All Categories

Angler talk

Date post: 13-Apr-2017
Category:
Upload: artsiom-holub
View: 2,933 times
Download: 2 times
Share this document with a friend
29
Artsiom Holub March, 2016 Deconstructing The Cyber Kill Chain of Angler Exploit Kit
Transcript
Page 1: Angler talk

Artsiom HolubMarch, 2016

Deconstructing The Cyber Kill Chain of Angler Exploit Kit

Page 2: Angler talk

2CONFIDENTIAL

PRESENTER

• Security Research Analyst on the OpenDNS team

• Undergraduate studies from National Technical University of Belarus in Computer Science

• Currently earning an Associate in Science degree from City College of San Francisco in Computer Networking and Information Security

• Network Security and Cyber Security certified

• Freelance pentester and bounty hunter

Page 3: Angler talk

3CONFIDENTIAL

AGENDA

CYBER KILL CHAIN OF AEK CAMPAIGNAPT PARALLELS AND SIGHSANGLER EK ORIGIN

MONEY FLOWDETECTION & PREVENTIONSUMMARY

Page 4: Angler talk

4CONFIDENTIAL

ANGLER EK ORIGIN• First appearance of unique ‘bodiless’ bot attacking news site visitors

• Reported by russian researcher Sergey Golovanov in March 2012• Unknown exploit as a part of Cool EK

• One of the first captured by Kafeine in August 2013 • Used Fileless capabilities

• Angler in context of Blackhole takedown• Kafeine chosen name for this Exploit Kit October 2013

• Mapped to ‘bodiless’ bot and XXX exploit kit• XXX is real name for Angler • 2010 is the real birth year of Angler

Page 5: Angler talk

5CONFIDENTIAL

APT PARALLELS AND SIGHS

Using advanced technics on all stages of campaign • Utilizing most recent

vulnerabilities (CVE)• Implementing honeypot and

antivirus detection and avoidance• Domain shadowing• Encrypted payloads

ADVANCED

Page 6: Angler talk

6CONFIDENTIAL

APT PARALLELS AND SIGHS

• Angler EK is • Talos thwarts access to ASNs,

accounted for almost 90% of overall Angler traffic in October 2015

• IP scheme changed, threat still exist and growing.

PERSISTENT

Page 7: Angler talk

7CONFIDENTIAL

APT PARALLELS AND SIGHS

• Delivering ransomware makes it easy profitable

• Ransomware accompanied with other malware (Bedep, Pony, etc.) makes it even more profitable

• Used infrastructure and stolen information can be traded or rented to other malicious authors

THREAT

Page 8: Angler talk

8CONFIDENTIAL

Introducing Cyber Kill Chain Of Malicious Angler Campaign In Wild

Page 9: Angler talk

9CONFIDENTIAL

CYBER KILL CHAIN

• Reconnaissance • Exploitation & Weaponization • Delivery & Installation • Command and Control• Actions

Mostly used in terms of APT, so I have to modify it for my case

Recoinnaissance

Exploitation & Weaponization

Delivery & Installation

C&C Actions

Page 10: Angler talk

10CONFIDENTIAL

RECONNAISSANCE

• Dedicated basic infrastructure - For C&C addresses, and for DNS tunnels for guaranteed egress

• Compromised registrant emails – For domain shadowing• Bulletproof hosting - For use as C&C servers, to receive

connect-back shells, to launch attacks. Recently active .top and .tk

• Abused Large Providers – To host landing pages• Acquiring list of vulnerable sites - For use as pivots to

hide the IP addresses of the stable servers and exploits• Register fake advertising companies – To deliver traffic

Drag picture to placeholder or click icon to add

List or things needed for successful campaign

Page 11: Angler talk

11CONFIDENTIAL

RECONNAISSANCEDedicated Infrastructure advertise

bogonsPhishing campaigns

used advertised addresses

Infrastructure ready

Accounts used in domain shadowing

aquired

LAUNCH OF THE CAMPAIGN

Page 12: Angler talk

12CONFIDENTIAL

EXPLOITATION COMPROMISED DOMAINS, HOSTING LANDER PAGES

42%

5%

36%

11%

6%

WordpressJoomlaDomain shadowingDedicatedOthers

Page 13: Angler talk

13CONFIDENTIAL

EXPLOITATION & WEAPONIZATION Compromising victims due to one of the vulnerabilities

CVE-2016-0034CVE-2015-8651CVE-2015-8446CVE-2015-7645CVE-2015-5560CVE-2015-0313CVE-2015-2419

others

0 5 10 15 20 25 30%

Page 14: Angler talk

14CONFIDENTIAL

EXPLOITATION & WEAPONIZATION Placing lander pages with payloads

TeslacryptCryptowallBedepHydracryptOthersVawtrackTinba

Page 15: Angler talk

15CONFIDENTIAL

DELIVERY Some of main points in delivery schema

• Pseudo Darkleech - not a server-level infection. The malicious PHP code is injected into the menu.php/index.php file. It fetched the actual iframe code on the fly from a remote server.

• DNS Shadowing - iframe URL (used to be No-IP dynamic host names) has been replaced with third level domain names of sites with hacked DNS accounts (a lot of GoDaddy) that live only for a few hours, for example:

ludeincenvira[.]buydashcameras[.]com republicanaaccenner[.]handymannservices[.]com

scissorcase-kursfest[.]flatfeexpress[.]com uitgehougovorili9[.]goalrillabasketballgoals[.]info

• Forum-like URLs - iframe URLs now resemble URLs of forum sites. They include the following URL part with random parameters:

/boards/index.php?PHPSESSID=.../topic/viewtopic.php?PHPSESSID=.../forums/search.php?PHPSESSID=...

/civis/search.php?85285-…

Page 16: Angler talk

16CONFIDENTIAL

DELIVERY & INSTALLATION Most recent model delivering user traffic to lander pages

IP reputation, contain not blocked

Victim visits well known trusted

site

goo.gl URLs, ad networks abused, including top ones, fake

advertiser domains

SSL encrypt ad call URL orGIF hiding code with on-the-fly encoding

Targeted genuine residential IP redirects to

compromised site

Only specific IPs will be redirected

Next redirect to shadow copy or compromised

site

Domain shadowing technic, TLD resides on different IP

Victim hits the lander page(second

payload)Web filter failed, web address is not blocked

Payload delivered

Initial payload delivered and

executedIf system is vulnerable

Anti virus failed, binary is obfuscated

Negotiate encryption

Web filter failed, communication is not blocked

Encrypt dataLocal backups removed

Display ransom notes

Page 17: Angler talk

17CONFIDENTIAL

Installation Fileless ransomware exploitation technic

Locate Exploitable Process

Injects first payload into it

Forces the DLL to load in the context of

that process

When encryption is finished free memory

The process is loaded into memory but the primary thread

is suspended

Process calls LoadLibrary

Loads malicious remote DLL

Persistence isn’t a goal

Page 18: Angler talk

18CONFIDENTIAL

MONEYFLOW

Page 19: Angler talk

19CONFIDENTIAL

MONEY GATHERED DURING CAMPAIGN MOSTLY IN BTCESTIMATED REVENUE AS OF CAMPAIGN OWNERS EXPENCES & LOSSES

YEARLY AFTER TALOS THWART $$17,126,058.00

• The process of legalizing BTC income is difficult

• Main ways are carding, shopping, underground exchange, money mules

• Money spent on infrastructure, maintenance, recon campaigns

• The end result is about 50+% loss

Page 20: Angler talk

20CONFIDENTIAL

Drag picture to placeholder or click icon to addDETECTION & PREVENTION

• SPRank, created by our researches, detects compromised domains based on DNS data

• Honeypot run by analyst provides another source of compromised domains based on HTTP data

• Pivoting around these domains let us discover compromised registrants and IPs

• Data available in Investigate helps to identify reused infrastructure, malicious authors, and patterns

STOPPING EXPLOIT CHAIN AT ANY STEP CAN MITIGATE INFECTION

Page 21: Angler talk

21CONFIDENTIAL

EXAMPLEDedicated

accounts used for multiple scams

Dedicated and abused servers

Page 22: Angler talk

22CONFIDENTIAL

EXAMPLE

Bulletproof hosting

Potentially compromised

Page 23: Angler talk

23CONFIDENTIAL

DETECTION ANALYSIS LEEDS TO NEW THREAT MODELS WITH DIFFERENT BASIS

SEED

Investigate

Honeypot

VirusTotal

Malwr

ThreatGrid

ROOT

1 3

4

2

5

689

710

Page 24: Angler talk

24CONFIDENTIAL

ABUSED and DEDICATED ASNsDrag picture to placeholder or click icon to add

• AS 59504 CYBERTECH-AS LLC CyberTech,RU• AS 201094 GMHOST Mulgin Alexander Sergeevich,UA (dedicated)• AS 15756 CARAVAN JSC Caravan Telecom,RU• AS 48716 PS-AS PS Internet Company LLC,RU• AS 43146 AGAVA3 Agava Ltd.,RU• AS 16276 OVH OVH SAS,FR (highly abused)• AS 15083 INFOLINK-MIA-US - Infolink Global Corporation,US• AS 29182 ISPSYSTEM-AS JSC _ISPsystem_,LU• AS 53264 CDC-LMB1 - Continuum Data Centers, LLC.,US• AS 20860 IOMART-AS Iomart,GB• AS 12586 ASGHOSTNET GHOSTnet GmbH, DE 86400 (.tk)• AS 203973 GUARDOMICRO-AS GUARDOMICRO S.R.L, RO 86400 (.tk)

Most active ASNs in the last 90 days

Page 25: Angler talk

25CONFIDENTIAL

Graphical representation of IPs to ASNs active for last 90 days

Page 26: Angler talk

26CONFIDENTIAL

PREVENTIONWays to mitigate risks

• Keep back ups of the data all the time• Use layered security system,

software and(or) hardware firewall is a must have

• Implement DNS control• Patch management(most exploits) • Maintain consistency of domain’s

DNS settings, so it contains only legitimate records

• User education

Page 27: Angler talk

27CONFIDENTIAL

SUMMARY

Page 28: Angler talk

28CONFIDENTIAL

Reasons Angler Keeps Winning • The organizations responsible for these exploit kit

campaigns are generating millions of dollars in revenue. As a result they are continually evolving to maximize the amount of users that are impacted.

• Findings point to a larger organization that is using various threats to infect users for monetary gain.

• With close to 40% of users hitting Angler infrastructure being compromised it is a significant threat

• Security applications do not quickly recognize ransomware’s maliciousness, because, ransomware itself “effectively acts as a security application.

• The details are not always known, because unlike data breaches, ransomware attacks do not need to be disclosed by law.

Page 29: Angler talk

29CONFIDENTIAL

Artsiom Holub – Security Research [email protected]

Credits to

Kafeine


Recommended