angler talk
TRANSCRIPT
Artsiom HolubMarch, 2016
Deconstructing The Cyber Kill Chain of Angler Exploit Kit
2CONFIDENTIAL
PRESENTER
• Security Research Analyst on the OpenDNS team
• Undergraduate studies from National Technical University of Belarus in Computer Science
• Currently earning an Associate in Science degree from City College of San Francisco in Computer Networking and Information Security
• Network Security and Cyber Security certified
• Freelance pentester and bounty hunter
3CONFIDENTIAL
AGENDA
CYBER KILL CHAIN OF AEK CAMPAIGNAPT PARALLELS AND SIGHSANGLER EK ORIGIN
MONEY FLOWDETECTION & PREVENTIONSUMMARY
4CONFIDENTIAL
ANGLER EK ORIGIN• First appearance of unique ‘bodiless’ bot attacking news site visitors
• Reported by russian researcher Sergey Golovanov in March 2012• Unknown exploit as a part of Cool EK
• One of the first captured by Kafeine in August 2013 • Used Fileless capabilities
• Angler in context of Blackhole takedown• Kafeine chosen name for this Exploit Kit October 2013
• Mapped to ‘bodiless’ bot and XXX exploit kit• XXX is real name for Angler • 2010 is the real birth year of Angler
5CONFIDENTIAL
APT PARALLELS AND SIGHS
Using advanced technics on all stages of campaign • Utilizing most recent
vulnerabilities (CVE)• Implementing honeypot and
antivirus detection and avoidance• Domain shadowing• Encrypted payloads
ADVANCED
6CONFIDENTIAL
APT PARALLELS AND SIGHS
• Angler EK is • Talos thwarts access to ASNs,
accounted for almost 90% of overall Angler traffic in October 2015
• IP scheme changed, threat still exist and growing.
PERSISTENT
7CONFIDENTIAL
APT PARALLELS AND SIGHS
• Delivering ransomware makes it easy profitable
• Ransomware accompanied with other malware (Bedep, Pony, etc.) makes it even more profitable
• Used infrastructure and stolen information can be traded or rented to other malicious authors
THREAT
8CONFIDENTIAL
Introducing Cyber Kill Chain Of Malicious Angler Campaign In Wild
9CONFIDENTIAL
CYBER KILL CHAIN
• Reconnaissance • Exploitation & Weaponization • Delivery & Installation • Command and Control• Actions
Mostly used in terms of APT, so I have to modify it for my case
Recoinnaissance
Exploitation & Weaponization
Delivery & Installation
C&C Actions
10CONFIDENTIAL
RECONNAISSANCE
• Dedicated basic infrastructure - For C&C addresses, and for DNS tunnels for guaranteed egress
• Compromised registrant emails – For domain shadowing• Bulletproof hosting - For use as C&C servers, to receive
connect-back shells, to launch attacks. Recently active .top and .tk
• Abused Large Providers – To host landing pages• Acquiring list of vulnerable sites - For use as pivots to
hide the IP addresses of the stable servers and exploits• Register fake advertising companies – To deliver traffic
Drag picture to placeholder or click icon to add
List or things needed for successful campaign
11CONFIDENTIAL
RECONNAISSANCEDedicated Infrastructure advertise
bogonsPhishing campaigns
used advertised addresses
Infrastructure ready
Accounts used in domain shadowing
aquired
LAUNCH OF THE CAMPAIGN
12CONFIDENTIAL
EXPLOITATION COMPROMISED DOMAINS, HOSTING LANDER PAGES
42%
5%
36%
11%
6%
WordpressJoomlaDomain shadowingDedicatedOthers
13CONFIDENTIAL
EXPLOITATION & WEAPONIZATION Compromising victims due to one of the vulnerabilities
CVE-2016-0034CVE-2015-8651CVE-2015-8446CVE-2015-7645CVE-2015-5560CVE-2015-0313CVE-2015-2419
others
0 5 10 15 20 25 30%
14CONFIDENTIAL
EXPLOITATION & WEAPONIZATION Placing lander pages with payloads
TeslacryptCryptowallBedepHydracryptOthersVawtrackTinba
15CONFIDENTIAL
DELIVERY Some of main points in delivery schema
• Pseudo Darkleech - not a server-level infection. The malicious PHP code is injected into the menu.php/index.php file. It fetched the actual iframe code on the fly from a remote server.
• DNS Shadowing - iframe URL (used to be No-IP dynamic host names) has been replaced with third level domain names of sites with hacked DNS accounts (a lot of GoDaddy) that live only for a few hours, for example:
ludeincenvira[.]buydashcameras[.]com republicanaaccenner[.]handymannservices[.]com
scissorcase-kursfest[.]flatfeexpress[.]com uitgehougovorili9[.]goalrillabasketballgoals[.]info
• Forum-like URLs - iframe URLs now resemble URLs of forum sites. They include the following URL part with random parameters:
/boards/index.php?PHPSESSID=.../topic/viewtopic.php?PHPSESSID=.../forums/search.php?PHPSESSID=...
/civis/search.php?85285-…
16CONFIDENTIAL
DELIVERY & INSTALLATION Most recent model delivering user traffic to lander pages
IP reputation, contain not blocked
Victim visits well known trusted
site
goo.gl URLs, ad networks abused, including top ones, fake
advertiser domains
SSL encrypt ad call URL orGIF hiding code with on-the-fly encoding
Targeted genuine residential IP redirects to
compromised site
Only specific IPs will be redirected
Next redirect to shadow copy or compromised
site
Domain shadowing technic, TLD resides on different IP
Victim hits the lander page(second
payload)Web filter failed, web address is not blocked
Payload delivered
Initial payload delivered and
executedIf system is vulnerable
Anti virus failed, binary is obfuscated
Negotiate encryption
Web filter failed, communication is not blocked
Encrypt dataLocal backups removed
Display ransom notes
17CONFIDENTIAL
Installation Fileless ransomware exploitation technic
Locate Exploitable Process
Injects first payload into it
Forces the DLL to load in the context of
that process
When encryption is finished free memory
The process is loaded into memory but the primary thread
is suspended
Process calls LoadLibrary
Loads malicious remote DLL
Persistence isn’t a goal
18CONFIDENTIAL
MONEYFLOW
19CONFIDENTIAL
MONEY GATHERED DURING CAMPAIGN MOSTLY IN BTCESTIMATED REVENUE AS OF CAMPAIGN OWNERS EXPENCES & LOSSES
YEARLY AFTER TALOS THWART $$17,126,058.00
• The process of legalizing BTC income is difficult
• Main ways are carding, shopping, underground exchange, money mules
• Money spent on infrastructure, maintenance, recon campaigns
• The end result is about 50+% loss
20CONFIDENTIAL
Drag picture to placeholder or click icon to addDETECTION & PREVENTION
• SPRank, created by our researches, detects compromised domains based on DNS data
• Honeypot run by analyst provides another source of compromised domains based on HTTP data
• Pivoting around these domains let us discover compromised registrants and IPs
• Data available in Investigate helps to identify reused infrastructure, malicious authors, and patterns
STOPPING EXPLOIT CHAIN AT ANY STEP CAN MITIGATE INFECTION
21CONFIDENTIAL
EXAMPLEDedicated
accounts used for multiple scams
Dedicated and abused servers
22CONFIDENTIAL
EXAMPLE
Bulletproof hosting
Potentially compromised
23CONFIDENTIAL
DETECTION ANALYSIS LEEDS TO NEW THREAT MODELS WITH DIFFERENT BASIS
SEED
Investigate
Honeypot
VirusTotal
Malwr
ThreatGrid
ROOT
1 3
4
2
5
689
710
24CONFIDENTIAL
ABUSED and DEDICATED ASNsDrag picture to placeholder or click icon to add
• AS 59504 CYBERTECH-AS LLC CyberTech,RU• AS 201094 GMHOST Mulgin Alexander Sergeevich,UA (dedicated)• AS 15756 CARAVAN JSC Caravan Telecom,RU• AS 48716 PS-AS PS Internet Company LLC,RU• AS 43146 AGAVA3 Agava Ltd.,RU• AS 16276 OVH OVH SAS,FR (highly abused)• AS 15083 INFOLINK-MIA-US - Infolink Global Corporation,US• AS 29182 ISPSYSTEM-AS JSC _ISPsystem_,LU• AS 53264 CDC-LMB1 - Continuum Data Centers, LLC.,US• AS 20860 IOMART-AS Iomart,GB• AS 12586 ASGHOSTNET GHOSTnet GmbH, DE 86400 (.tk)• AS 203973 GUARDOMICRO-AS GUARDOMICRO S.R.L, RO 86400 (.tk)
Most active ASNs in the last 90 days
25CONFIDENTIAL
Graphical representation of IPs to ASNs active for last 90 days
26CONFIDENTIAL
PREVENTIONWays to mitigate risks
• Keep back ups of the data all the time• Use layered security system,
software and(or) hardware firewall is a must have
• Implement DNS control• Patch management(most exploits) • Maintain consistency of domain’s
DNS settings, so it contains only legitimate records
• User education
27CONFIDENTIAL
SUMMARY
28CONFIDENTIAL
Reasons Angler Keeps Winning • The organizations responsible for these exploit kit
campaigns are generating millions of dollars in revenue. As a result they are continually evolving to maximize the amount of users that are impacted.
• Findings point to a larger organization that is using various threats to infect users for monetary gain.
• With close to 40% of users hitting Angler infrastructure being compromised it is a significant threat
• Security applications do not quickly recognize ransomware’s maliciousness, because, ransomware itself “effectively acts as a security application.
• The details are not always known, because unlike data breaches, ransomware attacks do not need to be disclosed by law.