blogs.keysight.com Open in urlscan Pro
104.96.95.73  Public Scan

Form analysis
1 forms found in the DOM

/blogs/tech/nwvs.entry.html/2022/02/25/

<form id="form-search-input-inline" action="/blogs/tech/nwvs.entry.html/2022/02/25/" data-paths="/content/keysight-blog/en/blogs" class="scf-js-searchform navbar-form">
  <div class="scf-quicksearch-form-group form-group">
    <input type="text" id="scf-js-quicksearch-input-inline" placeholder="Search Blogs" data-dropdown="drop_search" aria-controls="drop_search" aria-expanded="false" name="input_value"
      class="scf-quicksearch-value scf-js-search-value placeholder form-control ui-autocomplete-input" value="" autocomplete="off"><button id="header-search-submit">Search Blogs</button>
    <input type="hidden" name="resultPage" class="scf-js-seach-resultPage" value="/content/keysight-blog/en/blogs/search-results">
    <input type="hidden" name="searchEndpoint" class="scf-js-search-endpoint" value="/content/keysight-blog/en/blogs/search-results/jcr:content/root/responsivegrid/searchresult">
    <ul id="ui-id-1" tabindex="0" class="ui-menu ui-widget ui-widget-content ui-autocomplete ui-front" style="display: none;"></ul>
  </div>
</form>

Text Content

Enable browser cookies for improved site capabilities and performance.
Enable Javascript and browser cookies for improved site capabilities and
performance.
Search Blogs
Keysight Blogs
Toggle Menu
 * Insights
   
   Insights 
   
    * Simulation + Design
    * Benchtop
    * RF + Microwave
    * High Volume Traffic Generators
    * Network Visibility + Security
    * Education/University
    * Archived Blogs

 * Industries
 * Get to Know Keysight
   
   Get to Know Keysight 
   
    * Culture
    * Corporate Social Responsibility
    * Executive Perspectives

Keysight Picks

NETWORK VIRTUALIZATION – ARE 3RD PARTY NETWORK VISIBILITY SOLUTIONS STILL
RELEVANT?





INSIGHTS > NETWORK VISIBILITY + SECURITY


NETWORK APPS & SECURITY BLOG TEAM




 * #Network Security



Network Visibility + Security


ANGLER EXPLOIT KIT DEOBFUSCATION AND ANALYSIS

2021-09-27  |    8 min read 



By Wei Gao | Angler Exploit Kit (EK) is one of the most sophisticated exploit
kits in the world, used by cybercriminals to deliver diverse malware to
compromised websites and infect victims. Angler EK first appeared in late 2013,
and its authors have been adding new evasion features frequently to it ever
since.

Angler EK’s exploit code and malware payload are highly obfuscated in order to
bypass IDS/IPS. The kit uses 302 cushioning and Domain Shadowing to evade
detection, and it checks anti-virus software and the virtualized environment
before running the exploit. The Angler EK also includes a feature called
“Fileless infection [2]” to infect a victim without writing malware on the
drive.

Furthermore, Angler EK is still evolving. It is continually adding new IP
addresses, domains, and subdomains to host exploits and malware. Angler EK also
may use Zero-day vulnerability, such as “Hacking Team” vulnerabilities
(CVE-2015-5119, CVE-2015-5122) in its exploitation activities. These features
make Angler EK itself very difficult to detect by the majority of today’s
security defenses. Due to these features, Angler EK is reaching a prolific
scale. Accounting to the Distribution of Exploit Kit Activity as measured by
detection telemetry based on a week’s worth of data in May 2015 [1], Angler EK
has begun to dominate the market in exploit kits.



Angler EK starts with a compromised legitimate website and uses this to redirect
its visitors to an actual landing page. HTML iframe can be used to redirect the
traffic and make detection more difficult. However, in order to evade detection
by signature-based IDS/IPS, more and more redirection methods have recently been
used in Angler EK. 302 Cushioning [3] or cushion attack is used to redirect a
victim’s browser to a compromised website. Domain shadowing is also used in
Angler EK to bypass the domain URL blocklists and make it difficult to create an
IOC list.

In this blog, we will use sample pcap files to take a closer look at the Angler
EK. The sample pcaps are from www.malware-traffic-analysis.net

HTTP Redirection

In this example, the compromised website uses iframe to redirect the victim’s
browser to the Angler EK’s landing page.



Angler EK Landing Page

Thousands of new Angler EK landing pages are emerging. In order to make
detection more difficult and frustrate security researchers, the landing page
uses many obfuscation methods. The Angler EK landing page consists of four
elements:

 * Plain English Text
 * Paragraph element (Obfuscated JS code)
 * Deobfuscation functions
 * Encrypted URLs and Exploit paths

The first obfuscation method is plain English text, which may quote from the
author Jane Austen's novel, Sense and Sensibility.



The second obfuscation element of the Angler EK landing page is the paragraph
element in the HTML, which can be deobfuscated by the deobfuscation functions in
the landing page.



The third element of the landing page is deobfuscation function, which grabs the
paragraph elements, decodes them, and then decrypts them. The deobfuscation
function is highly deobfuscated in the landing page to bypass IDS/IPS
signatures.



The last element is encrypted URLs and exploit paths, which can be used to
download and execute the malware payload. The encrypted URL may include the name
of the server hosting the exploit kit or the path used to locate Silverlight or
flash content.



Environment Check:

After deobfuscation of the Angler EK landing page, we found its environment
check section. The Angler EK checks some installed Kaspersky ActiveX control as
well as IE browser.



It also checks whether the running environment is sandbox by going through a
checklist that contains specific file paths and files:



Decryption of URL:

Here, we can see the decryption function for the encrypted URLs in the Angler
EK. It uses “LGWZsrv1LGWZsrvIc3” as the default decryption key, which is shown
in this figure. We can easily rewrite this JS code and decrypt the encrypted
URLs.



Here, we rewrote this code and decrypted the URL:





Here, we got the host name and request page.

Dropper and Payload:

The Angler EK will do more browser and system checking. In this code, it will
check whether it is an IR, and whether it is running on x32 or x64.



The dropper will be loaded into memory after the IE is compromised. Shellcode is
partly encrypted. The default decryption key is “Du9J08gkbfzGvmFF” as shown in
this figure.



After deobfuscation, we found that the Angler EK uses highly obfuscated
JavaScript code to bypass IDS/IPS detection and make security researchers spend
more time on it. Also, Angler EK has code to check the AV product and VM
product. Furthermore, the payload will be encrypted and encoded during the
sending stage. All of these features make detection more difficult.

CVE-2013-2551(Microsoft Internet Explorer COALineDashStyleArray Integer
Overflow):





To the left is the actual vulnerability used in the Angler EK; to the right is
the POC code of CVE-2013-2551. After analysis, we found that this Angler EK
sample is using the CVE-2014-2551 Microsoft Internet Explorer
COALineDashStyleArray Integer Overflow.

Other vulnerabilities used in Angler EK are listed in the following table:

Product CVE IE

CVE-2015-2419

CVE-2014-0322

CVE-2014-1776

CVE-2014-4130

CVE-2013-2551

CVE-2013-7331

Flash

CVE-2015-5560

CVE-2015-5122

CVE-2015-5119

CVE-2015-3113

CVE-2015-3104

CVE-2015-3090

CVE-2015-2419

CVE-2015-0359

CVE-2015-0336

CVE-2015-0313

CVE-2015-0311

CVE-2015-0310

CVE-2014-8440

CVE-2014-8439

CVE-2014-0515

CVE-2014-0497

CVE-2013-5329

Silverlight CVE-2015-1617

CVE-2013-0074

CVE-2013-3896

Summary

Angler EK is a very sophisticated attack and is still continually evolving. This
exploit kit is almost impossible to detect by the majority of today’s security
defenses. In this blog, we try to analyze Angler EK behavior and its exploit
landing page, and to identify its encode and obfuscation methods. As we can see,
Angler EK tries to use numerous method variations, such as obfuscation, AV
product, sandbox check, payload encryption, and fileless injection to defeat
traditional detection methods.

Ixia ATI is introducing the Angler Exploit Kit canned test, which emulates
Angler EK communication behavior. In addition, the Nuclear Exploit Kit canned
test is under development and will be released soon.

Additional Resources:

Ixia ATI subscription

References:

[1] https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

[2] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

[3] http://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html






--------------------------------------------------------------------------------


RELATED POSTS

Network Visibility + Security

THE FOG OF WAR IN INCIDENT RESPONSE AWARENESS

Bob DuCharme 2023.02.03



7 min read

#Network Security #Cybersecurity #Software

Network Visibility + Security

KRPC PROTOCOL: THE LANGUAGE OF TORRENT PEERS

RAKESH SEAL 2023.01.31



14 min read

#Network Security #Network Analysis Apps #Network Test #Network Visibility

Simulation + Design

THE WORLD OF POSSIBLE WHAT-IFS: EXPLORING THE LIMITLESS POTENTIAL FOR DIGITAL
TWIN TECHNOLOGY

Jenn Mullen 2023.01.27



10 min read

#Industry Trends #Network Security #Design + Automation #STEM

RELATED TAGS

 * #Network Security
 * #Cybersecurity
 * #Network Visibility
 * #Network Test
 * #Packet Brokers
 * #Network Taps
 * #Internet of Things
 * #Data Privacy
 * #Cloud
 * #Performance Monitoring
 * #CloudLens
 * #Software
 * #Industry Trends
 * #Healthcare
 * #Data Center Infrastructure
 * #SDN + NFV
 * #Bypass Switches
 * #Network Analyzers
 * #Cloud Test
 * #Test Automation
 * #Government
 * #Network Analysis Apps
 * #Hawkeye

See All Tags



 * © Keysight Technologies 2000–2023
 * 
 * 
 * 
 * 


Keysight Blogs