The Angler exploit kit was ahead of the game when it began detecting antivirus and virtual machines and deploying encrypted dropper files. It’s repeatedly proven itself the fastest kit to incorporate newly released zero-days and its malware runs from memory, without having to write to the hard-drives of its victims.
A new Websense analysis makes the case that Angler is a cybercriminal’s most sophisticated choice among exploit kits for these reasons, and for its noticeably unique brand of obfuscation.
Angler has been in the news in recent weeks for its rapid absorption of a series of Adobe Flash zero days, leading some to believe that the group responsible for Angler may also have also discovered the zero day exploits.
It’s obfuscation is noteworthy, Websense’s Abel Toro claims, mainly because of the way it uses a simple transposition-based cipher to encrypt URL paths. You see a simplified version of Angler’s obfuscation routine below:
Other than that, it’s obfuscation scheme is similar to competing kits such as Nuclear. Infected users redirect to a landing page populated with plaintext writing in order to create the illusion that they are on a safe and legitimate site. Meanwhile, in the background, Angler begins deobfuscating malicious scripts.
“These scripts are located within p class tags and they are encoded as base64,” Toro writes. “Decoding the base64 strings reveals the actual obfuscated exploit kit code. And finally, the landing page contains several encrypted strings, which contain various URLs leading to the various exploits (Flash, Silverlight, Internet Explorer) included in the kit.”
Once this is all revealed, it’s obfuscated again to make the job of detection just a bit harder. In addition to its antivirus engine detection capabilities, Angler can tell if a researcher is attempting to execute its code in VMware, VirtualBox, Parallels or other virtual machines as well as a web debugging proxy called Fiddler, which is popular among security researchers. These mechanisms make analysis of Angler a headache for researchers.
In order to better evade intrusion detection measures, Angler’s payload is encrypted in transit on the victim’s network and decrypted by a final stage shellcode. The payload, known as Bedep, isn’t malicious on its own, Toro says, but is used to download additional malware.
“The payload consists of a combination of shellcode and the Bedep DLL,” Toro explains. “If the first few bytes of the payload are “909090” (NOPs or No Operations in x86 assembly) the DLL will be loaded from the memory, otherwise it will be written to the disk just like a normal dropper file. The shellcode is responsible for running the DLL from memory.”