Last Updated: 2016-10-31 01:30:05 UTC
by Brad Duncan (Version: 1)
Earlier this month, Cisco's Talos team published an in-depth report on the Angler exploit kit (EK) . The report also documented Cisco's coordination with hosting providers to shut down malicious servers associated with this EK. The result? I've found far less Angler EK in the last two weeks or so.
Angler is still active, even if we're not finding as much as before, and other EKs remain a concern. CryptoWall 3.0 remains a popular payload. I've noticed CryptoWall 3.0 from Angler, Nuclear, and Rig EK in the past few days.
Let's look at some recent examples of EK traffic.
The URL structure for Nuclear EK has changed since my previous ISC diary about it last month . The landing page URL (the initial HTTP GET request) has recently changed patterns. Previously, we'd seen the HTTP GET request start with /url?sa= , but now it's back to /search? followed by random characters. The images below show HTTP GET requests for Nuclear EK on Wednesday 2015-10-14.
In recent weeks, I've noticed at least two types of infection chains for Nuclear EK. The first type uses a gate with 052F in the URL. So far, I've seen ransomware payloads delivered by "052F" Nuclear EK. Last month I saw TelsaCrypt 2.0 , and this month I've seen CryptoWall 3.0.
The other type of infection chain for Nuclear EK chain has no gate, and it's been delivering two malware payloads. This "dual payload" Nuclear is similar to what we saw in last month's diary on this EK .
I'm calling these two types of infection chains:
- 052F gate Nuclear EK
- Dual payload Nuclear EK
Traffic characteristics indicate these are different actors. Other actors are also associated with Nuclear EK, like the Windigo group , BizCN gate actor , and (I assume) many more. This diary only covers the 052F and dual payload actors.
052F gate Nuclear EK sends CryptoWall 3.0
HTTP traffic after the 052F gate showed Nuclear EK followed by CryptoWall 3.0 callback activity.
This CryptoWall 3.0 sample's bitcoin address for the ransom payment was 12V5XLJ8zfespa2ABZJKUX8oQbVpwT5Uwb
Dual payload Nuclear EK sends its dual payloads
I've noticed this recent dual payload Nuclear EK actor since mid-September 2015 [2, 6, 7]. Code is injected near the end of the page, right before the closing body and HTML tags. There are several dozen blank lines before the malicious iframe leading to a Nuclear EK landing page. I recently saw this type of traffic again on Wednesday, 2015-10-14.
After the Nuclear EK traffic, HTTP requests show a GET /harsh02.exe for follow-up malware, and we also see subsequent alerts on possible Kelihos malware.
Rig EK sends CryptoWall 3.0
On Tuesday 2015-10-13, I infected a Windows host through Rig EK and saw CryptoWall 3.0 as the payload. Pages compromised by this actor have injected script with an unobfuscated iframe leading to Rig EK.
After Rig EK, we find indicators of CryptoWall 3.0 in the post-infection traffic.
This CryptoWall 3.0 sample's bitcoin address for the ransom payment was 1BkEAqygc5Mg2ree7ks34xPMA9kUjB2Qx3
Angler EK still out there, still sending ransomware
On Tuesday 2015-10-13, I generated an Angler EK infection and saw CryptoWall 3.0 as the payload . Injected script from the compromised website is highly-obfuscated, but it's quite distinctive.
After Angler EK, we saw indications of a CryptoWall 3.0 infection.
The bitcoin address for this CryptoWall 3.0 sample's ransom payment was 1yA3czfyuUeYHwgNZnvBSatU8Z7GJffj2
The exploit kit landscape can quickly change, and what's current this week may not be the next. My field of view is limited, and this EK round-up is not comprehensive. I've also seen Neutrino EK recently , which is not documented in this diary. Furthermore, other EKs are still active, even though I haven't been covering them. Hopefully this diary reflects some of the more common EK traffic during the past week or so.
Below is a link for a zip archive containing all of the pcaps:
- 2015-10-15-ISC-diary-all-pcaps.zip - 3.5 MB (3,541,327 bytes)
Below is a link for all zip archive containing all the malware and artifacts:
- 2015-10-15-ISC-diary-all-malware-and-artifacts.zip - 2.1 MB (2,081,496 bytes)
The zip archives are password-protected with the standard password. If you don't know it, email firstname.lastname@example.org and ask.
Last Updated: 2015-10-15 23:40:06 UTC
by Johannes Ullrich (Version: 1)
We got a number readers asking about the ongoing issues with Flash. Adobe released it's regularly monthly update for Flash on Tuesday. With this update, you should be running Flash 126.96.36.199. However, on Wednesday, Adobe published a security bulletin that a new, so far unpatched, vulnerability (CVE-2015-7645) is being exploited. Adobe is currently talking about targeted and limited attacks.
Sometime next week, an update to Flash will be released to address this vulnerability.
So what should you do and what does this all mean?
Next week's patch is unlikely to change the fact that there are a large number of so far unpublished vulnerabilities in Flash. It appears that some groups exploiting these vulnerabilities are able to find these vulnerabilities faster then Adobe is willing to patch them. Even after Adobe releases a patch next week, there will likely be new vulnerabilities that will be used starting as soon as the patch will be released. So really, one more patch wont fundamentally change anything.
What should you do?
If possible uninstall Flash. If you can not uninstall it, at least make sure that your browser does not automatically launch Flash applets. This "Click to Run" behavior should be enabled for all plugins that support it (e.g. Java).
Here are some quick tips on how to enable click-to-run:
Firefox: It should be enabled by default. Check the "plugins.click_to_play" setting in about:config to make sure it is enabled.
Internet Explorer: Click the gear icon and select "Manage Add-ons". For the Shockwave Flash Object, select "More Information". By default, all sites are approved due to the wildcard "*" in the approved site box. Delete it.
Google Chrome: In chrome://settings click on "Show advanced settings..." at the bottom fo the page. Click on the "Content Settings" button under "Privacy" and select "Let me choose when to run plugin content" under Plugins. You can also review existing exceptions that you may have set up in the past, and you can disable individual plugins.
Safari: Check the "Security" tab in preferences. Under Plugin Settings you can enabled/disable individual plugins.