Angler Exploits flash 21,0,0,213 sending URSNIF

Datetime:2016-08-23 02:52:46          Topic: ActionScript           Share
by Analysis in ANGLER Exploit Kit

NOTES:

ActionScript is a programming language used for the Flash Player runtime environment. Angler Exploit Kit is now using Actionscript // 32 to exploit flash 21,0,0,213. On my first run at this site using Flash version 19,0,0,245 Angler used Actionscript // 13 and did not cause an infection chain. On my second run using Flash version 21,0,0,213 Angler used Actionscript // 32 to cause this infection chain. I have also seen a similar change in Neutrino Exploit Kit using Actionscript // 32 when exploiting Flash version 21,0,0,213.

ASSOCIATED DOMAINS:

  • 85.93.0.81 – bujsexy.tk – EITEST GATE
  • 185.141.27.170 – f17.nvytwirvb.top – Angler LANDING PAGE
  • 128.183.114.107 – nssdc.gsfc.nasa.gov – Ursnif CONNECTION CHECK
  • 158.69.183.24 – evtwofromdamagemost.pw – GET /images/ – Ursnif POST INFECTION TRAFFIC
  • 158.69.183.24 – evtwofromdamagemost.pw – POST /images/ – Ursnif POST INFECTION TRAFFIC

IMAGES and DETAILS:

Shown above: EITEST Gate and Angler Exploit Kit landing page

Shown above: Using Wireshark filter “Follow Stream” on the EITEST gate shows script redirecting to Angler EK landing Page

Shown above: Packets 3050 and 3530 shows EITEST gate, Packet 3972 shows Angler exploiting flash and packet 4324 shows Angler EK sending malicious payload masked as an “application/x-shockwave-flash” file

Show above: Extracting Flash file Using Wireshark File => Export Objects => HTTP to examine meta data. Saved file as flash2.swf. Examined meta data using ( http://www.nowrap.de/flare.html )

Shown above: Flash meta data from first run at compromised site using Flash version 19,0,0,245 shows Angler using Actionscript // 13

Shown above: Flash meta data from second run at compromised site using Flash version 21,0,0,213 shows Angler using Actionscript // 32

Shown above: URSNIF connection check to .nasa.gov and post infection traffic

Shown above: URSNIF data exfiltration in .bin file

MALICIOUS PAYLOAD SENT BY ANGLER EK:

Tagged with: Albany NY , Angler Exploit Kit , Malware analysis , Malware Research





About List