BSides Rochester 2016: Artsiom Holub: Deconstructing The Cyber Kill Chain of Angler Exploit Kit

hi guys uh I would like to start my presentation on deconstructing the Cyber kill chain of angler exploit kit uh before I start just how many people are familiar with what are exploit kits okay uh how many of you heard about angler oh great okay so I start a little about myself uh I originally came from uh Eastern Europe Belarus I moved to San Francisco about six years ago uh back in home I was a student of belarussian National Technical University and I was getting my degree in computer science uh currently working on my associate science degree from City College and I got uh most of their cyber security certificates already completed also looking forward into Data

analysis and algorithmization since I start working in Open DNS where we deal with a huge amount of DNS traffic currently with all our 26 data centers we handle about 100 billions of DNS queries a day and that's what we build our security controls on however it's not that easy when you uh think about five PA flops of data you have to go through in just one single day so I will talk about angler uh tell you about uh when it started uh how it looked when it just started uh why do I draw the parallels and call it AP in bigger scale uh usually you uh hear AP only about small networks companies or just specific

targets uh break down the Cyber chain of this campaign uh talk about money flow it uh for the last couple years angler was primarily uh Distributing ransomware which is a huge amount of money but they all come in Bitcoins and uh to get the cash from Bitcoins is pretty challenging uh what do we do in openess to uh detect and prevent uh this stuff so uh any exploit kit is a set of payloads or exploits building uh one solution that's why it's all powerful so you have your Management console uh you have uh some kind of uh imported data uh for the stuff that you will exploit uh in this case usually those are domains

or just a web pages where you can inject stuff uh angler in particular uh haven't been known for a while I didn't heard about it until 2013 but um building uh and making a research on where it come from I came across uh the blog post from Serge galanov uh which is a security researcher from kasperski who mentioned it uh in 2012 uh in case where uh the biggest news portals of Russia and Ukraine was spreading those Fess Bots malware that are almost impossible to detect it doesn't leave any kind of evidence on the system it does what it needs and it self- destroys uh second uh mention of it came from caffeine who is a us-based uh

exploit researcher really great guy uh I follow him on Twitter he does amazing job analyzing payloads and exploit kids in particular so uh he saw some of these payloads using those files capabilities as early as a was 2013 but he didn't pay too much attention on it until the black hole taked down after the black hole was taken down in uh October 2013 a lot of uh malware authors moved to well looking for like another exploit and that's where the angler came in play and uh after analyzing that and analyzing the way angler works we can see that it started all the way in 20 and it's called Tri X on the Underground forums it was uh caffeine who gave it

its name and uh that what we know now as angler so why do I build this uh cyal chain and deconstruct it uh because usually it like before we used to uh tell about AP only when you target something you want to achieve persistence in some Network or company Network or something else however if you look at the Internet it's the same network just huge scale so uh I think that angler authors and uh the people behind it uh did a great job they super persistent there were enormous amount of uh researchers spending huge amount of time uh finding their C2 servers blocking them taking them down however it's still there it's it's very Advanced

uh it uses uh Advanced Techniques on all stages of campaign if you tell if you talk about payloads the most newest uh cves are implemented we've seen that uh Java vulnerability would be disclosed publicly 3 days later they would have exploit for it implementing hyot and Antivirus avoidance U we've been uh doing a lot of Honeypot project to try to catch all that stuff and we didn't see any of angler why because they were pretty sophisticated they would penetrate your network see that oh that's probably not a real uh PC there is no reason to infect it so they just don't drop the uh final payload uh they after we figure out the schema that they used to build URLs and

we can build a pattern for it and block it as soon as we see something that looks like that pattern they change it they switch to domain shadowing which is a lot more advanced technique but it requires uh additional steps for the malware people to get to the uh domain accounts all the payloads that delivered by angler are either highly aisc or encrypted and this way for antiviruses super hard to uh you know decrypt every every single package or every single stuff that they cut they have fiscated and they are becoming pretty much useless persistent as I already told in uh October 2015 uh tals took down the infrastructure that was delivering andler and dropped almost 90% of its

traffic but 4 months later we've seen it came back to the same even not bigger traffic and it's definitely a threat uh how many of you didn't hear about ransomware not right everybody knows what is it where it's coming from uh but nobody know how to uh protect them from it right if you don't have before when I used not to care about much about my backups when I seen that oh my God I was terrified now all my backups I have three of them now and I keep just backing up all my sensitive data every week however besides rent someware when you already have the infrastructure you can deliver whatever you want if you

want make extra Buck you just rent out your infrastructure to uh other malware guys right so caros uh using Open DNS data uh find out at least three emails that were associated with different actors delivering uh BP hosting angler hosting L and delivering uh different payloads like Timba and necro troen so with that I would like to uh break down the cyber kill chain a bit if you talk about AP it's a lot bigger uh and you can break it down to even smaller parts here I would I combine some steps together just because they happen either like simultaneously or one right after another so I came to the reconnaissance exploitation and rization delivery and installation common and

control and actions so uh reconnaissance for any a or any malware campaign this is very important because you want to have some base infrastructure that's protected from everybody else cuz if you lost that basic infrastructure you're pretty much toast like all your business is broken and with angler we' see that those people don't really afraid to lose it sometime they expose it but the reason is pretty simple because they like they are unreachable most of the basic infrastructure are located in Eastern Europe countries like Russia Kazakhstan Ukraine so even if FBI can go and ask please take down this infrastructure most of the people in these countries wouldn't care about it that much that's one of the reasons that let uh Ransom

Wares like grow and spread for domain registers uh for domain shadowing they have to have uh domain registering accounts of course you can put up a bunch of fake fake accounts for yourself and use them just one time but with domain shadowing uh you defeat uh something like popularity check and if you uh register your domain couple days ago and you want to route a huge amount of traffic to it it would lag immediately in many security appliances and you wouldn't deliver anything uh they also used a lot of buet proof hosting uh which are pretty common they are not that huge amount of them but there they still exist those are just companies who can uh cost

anything and they don't really care what you do with it as long as you pay them money abuse large providers uh we've seen uh a lot of traffic going through like gold and other big providers but that doesn't mean that they're bad they just it's hard for them to handle all that enormous amount of domains they are offering to people uh also the Primal way the angler delivered their initial payload uh advertising companies it become possible because a lot of companies want to maximize their income so they are participating in something that they called ad hopping or add exchange so if you have a advertising company and you target a specific region let's say Australia and another company want to

advertise in Australia they don't want to beating with you for the traffic they just offer you a deal okay let us run my advertisings through your infrastructure for 5 days and I let you do the same so for this they people behind angler register fake Ed advertising companies if you look them up on the Internet they look just like any other advertising company except all they do are delivering angular payloads so that uh how I broke down the Recon that's a steps that you need to make initial uh to launch your campaign not talking about any payloads yet just Gathering the uh information so uh dedicated infrastructure used to get those domain registering emails how it was done it was pretty

simple all unsophisticated technique fishing they gathered a a bunch of uh domain registered emails temp them fishing emails most of them would answer because most of the companies don't really think that DNS registering email is something important is something that can be used against them and angler people change that a lot now everybody have to uh Implement any kind of control for their DNS records they're becoming really really valuable so after the uh fishing campaign uh finished they got uh some amount of the accounts that let them uh build their uh initial infrastructure to actually launch the campaign where they would deliver rent somewhere uh so for the exploitation uh those are the the uh

websites that would deliver the initial payload the what we've seen uh breaking down to the parts and we've seen that most of them are coming from the WordPress and domain shadowing uh WordPress domains a lot of people not updating their WordPress regularly that why it exposed to all kind of threats if you have a uh domain that using Wordpress uh how often do you go through logs not that often but we've been doing analysis on that and WordPress sites got hiss every day sometimes from multiple resources it's uh those are scanners at Big scales that run every day both from good guys and bad guys as well uh so with the very beginning of the

campaign the amount of the uh abused or compromised websites is pretty low most of them would be delivered using the main shadowing and dedicated servers but at the point where we analyzing them right now most of that shifting to the compromise domains uh those are cves that we've seen been used for the past 90 days uh the smallest one uh which is the very bottom it's a silver light exploit it just pop up and uh become pretty popular I think we will see the growing of it more and more just because people get used that Java get exploited a lot people get used at some other Technologies getting exploited a lot and it's not because those

Technologies are weak or bad no it's because they implemented everywhere so that's what you target you know that almost any PC would have the Java installed but not any PC would have a silver light now with Microsoft pushing all this cppy stuff on your PCS when you don't even know what's going on on your box especially with Windows 10 uh that's becoming bigger and bigger problem and not all the people know that they need to update cite I don't even know what it used for so and uh malware guys pretty clever they know that and they use it so uh initial exploitation take place when where you want to defeat and build your initial infrastructure so they exploit

WordPress jumla whatever sites to uh build the initial red but with the explation of the actual PC the uh very and payload can be broken into those uh Tesla grip is big hit uh before we used to defeat Tesla [ __ ] because it used no IP call was really easy to detect uh we Implement control that would us check for it and break uh exploitation chain at that place it was really great suddenly disappear why okay we put it on a blog post those guys know how to search internet they find out that we know about that they change it now no IP call is uh removed so our control became useless uh other uh ransomware is uh

crypto wall HRA Crypt and uh I think they shift into crypto wall version 4 recently so I think a uh blue part will grow bigger and bigger before we've seen delivering some uh Trojans like buff truck and Timber but doesn't doesn't look like they go for this kind of stuff anymore so delivery schema uh delivery schema just built to defeat most used uh security appliances so a lot of them are getting like imported uh lists from uh open sources or some other companies that are building those lists up they also know how uh firewalls work they also know how any other security Appliance work so to defeat that uh one of the reasons like uh with to defeat that plus antivirus

they use something that looks like silda dark Le that's how we called it which is a not a seral level infection right so you don't have a server that your payload calls and like hey I exploited machine give me the bed Stu no the bed stuff actually resides uh on as a PHP code on the on the PHP file so if fetched uh iframe uh it fetch the if frames on the through the if frame on the fly from a remote server and that's where all these ad companies are playing for the bad guys because most of the ads are in the ey frames or they are banners uh second is the uh R uh to before like as I said like if

they would just register a bunch of domains okay the popularity check can see that oh it's unknown domain and suddenly it's getting like 10,000 CES an hour oh that's probably bad so they Implement and that was used with no IP calls DNS shadowing is different uh it DNS shadowing looks like uh you have the initial domain that have its uh history it have its popularity but it has a compromise DNS record so the bad guy go into the DNS settings add another subdomain that would reside on totally different IP but for the security plans it still looks like the just a subdomain of the well-known domain so it's probably legit and why not let the user

go there so and you can see that on the screen so the first part is uh probably some kind of uh generating algorithm and the second part is the actual domain that got compromised and uh recently we've seen that this schem are changing again because we already find out what domain shadowing is and a lot of people start care about their DNS records and they start building in the if frames that during the red just looks like the form of those sides again for most security appliances sorry it looks like you are not living the same domain you just going to The Forum part of it again the web filters got defeated by that so that just uh

more in details how the delivery and exploitation works so first you go to well-known site let's say CNN.com CNN.com have an ad on it from wellknown huge company that been around for 10 years but that company participating in Ed hopping and at the moment when you visit that site they don't have a companies uh advertising they have some malicious advertising for security appliances everything looks fine IP reputation is great why they would block contain uh using uh Google uh shorten URLs ad networks and fake even without participating in ad hopping just pure malicious advertising on the page you got the initial redir that initial redir can be also as aell encrypted which would like most of the

appliances doesn't canot man in the middle as cell traffic or uh the it would be one of those uh PHP codes that use on the flight encoding second uh that's the start of the exploitation of your machine the first payload would just check what kind of software you have on your PC if that PC is a uh a virtual machine or and if it has a certain IP or language so they wouldn't Target anything that have uh Russian that's pretty good sign that they probably live in Russia they wouldn't Target any IPS that are located in third water countries why because people there probably wouldn't pay $500 for their files they probably don't make that much money couple

months uh and when uh the person who is targeted uh gets that they are redirected to the actual to the ne to Second Step In the exploitation chain it would be either a compromised website domain shadowing so because of using the uh domain shadowing the web filters are falling apart and let you uh be redirected flash file delivered on your uh machine and uh penetrating it and see if that you actually have anything that it can exploit or if you have everything patched everything is fine you are not getting the next step in the explo ation chain you save this is good and bad good because like if you are not vulnerable you don't even know that you being attacked If

You're vulnerable you done so then you hit the lender page again web filter failed web address is not blocked uh payload delivered which is usually rans someware uh either encrypted or highly off fiscated antivirus is failing here negotiation is going on your PC again for the antivirus the encryption by itself doesn't look malicious tons of regular software on your PC uses encryptions all the time so how antivirus would know that this is encryption that you don't have control of there is no way especially with the fileless uh mware I will break it down uh in details a little further uh there is like no evidence left even if you know that you've been uh targeted and

you know that you've been exploited for forensic guy who would come he would check your entire system and he would say hey you don't have anything right that's very clever on their side that they implemented so when the data encrypted uh mare will usually check for any local backups so it won't be easy for you to just restore your data if it would find them it would delete it and then display the ransom nodes so at this point point for you as an end user and you don't have any kind of remote secured backup you're done like there is no way to get your data B you have to pay however if you uh listen to the FBI

or any other enforcement they said oh don't pay Ransom but it's again up to you some people would let it go but most people really care about all their stuff that they have on their PCS pictures text some job files Maybe so that's how Fess ransomware Works uh when the payload locate exploitable process that already reside in the memory it will inject the first payload in it that process have to call load Library when the load Library called it forces uh the dll to load in the context of the process so no matter what it would be it would have at least uh user Privileges and user privileges is enough to encrypt stuff so when the DL is injected it

loads remote DL that DL never reside on your PC it's that payload that fetched through the PHP file on the flight when encryption finished the memory is free because we don't need persistent most of the malware want to be in your system all the time and that's why you can find it however in some cases it's really really challenging with ransomware it already did old nasty job it just freed the memory removed anything it can drop you don't even know how it's happened money flow as it was reported by tals uh average I think it was just the one server that way they actually located uh it was managing 147 proxy servers uh delivering payloads to about

90,000 users a day but not all of those users uh were actually uh exploited because some of them stopped that infection at some point of the chain right but uh at the average the amount of money they made a year was about $35 million that's huge amount of money if uh you look at it as just the cash usually it breaks down to all techniques all techniques include uh the process of legalizing those Bitcoins main ways are carding shopping Underground Exchange and money mules with the Underground Exchange one of the actors behind angler used to have have the Bitcoin exchanged and he would put uh that exchange to the people to buy R uh to buy Bitcoins who affected

with ransomware which looked like an ideal schema right you delivered the ransom the people have to buy Bitcoins they go to your server they give you cash you give them the Bitcoins that go straight back to you however he took it down almost immediately after the black hole take down so who knows why but now they have to use all U you know older techniques they also have to spend money on the uh infrastructure there are losses of money on any uh step either it would be carding shopping or Underground Exchange the exchange rates are pretty wild uh for the PayPal account with $5,000 you have to pay about 17 Bitcoins which is I think one Bitcoin

coin is like $500 so that's you're losing a lot of money you like for the people behind that there is no sense to do that all the time however the end loss is about 50% and that's why they will keep doing what they're doing 50% is roughly 17 million after the thwart is roughly uh they might make more or less but they wouldn't go away that's just ideal business for people people who live somewhere where FBI can get them so what we doing uh Open DNS to stop that uh first of all uh all most of the ransomware have been delivered through the uh domains or at least we've seen very very rare you see the payload uh that would

have a hardcoded IP and we deal with DNS data as I told like we' deal about 100 B requests a day so uh we can analyze Big Data uh looking for patterns and uh to see how uh compromised dedicated and uh like domain shading infrastructure different in traffic flow between that we use something that is p rank which is uh when you look at DNS queries we'll look at them at the sound wave so you have the low part and then suddenly a lot of traffic start coming in so you have a wave that might be one of the indicator uh but it's not exactly clear because a lot of uh domains getting those waves just because

they launching like uh ad campaign or they got like simple like super popular article that got tged like some by some guy on the Twitter uh so we have to uh mix it with other techniques uh so uh we used to do a lot of Honey pods now we're trying to one of our researchers is doing something like it's it's not like passive honey pod it's active honey pod so it wouldn't just sit in the network it would also go for payloads by itself and we've seen that uh sometimes from the same compromise domain you got different payloads they are slightly different but they always run somewhere so pivoting around those domains let us discovered

what are the compromised registrant emails might be so we can uh block some of that stuff that might be compromised later ahead of the time it raises some issues with people not understanding how that work and uh you know screaming and crying that they didn't do anything bad but but lost their domain register email they don't think it's bad so after analyzing that we use I use investigate also we use a visual graphical analysis which I would show a little later so that uh how it looks in investigate so you have the domain that had no traffic at all and suddenly it got like 400 queries an hour that raises a flag and then there is a human who can

analyze it so uh this particular domain is the part of the initial infrastructure for the uh non-native Uh Russian speaker it doesn't make any sense but I speak Russian and I can see that this is the name in Russian just transliterated in uh English alphabet so if you translated there would be uh head of the hippopotamus that one of the uh ways one of the reasons why mware people don't want to use something like that because as soon as I see the pattern I can build a reject I can look for anything that much this kind of stuff and block it ahead of the time or just flag it for review so breaking down uh the email that uh this domain was

registered to is another dedicated email because it's not stolen again has the same pattern it's Russian it's Russian words translator rating in English alphabet if we pivot down there you see that it doesn't have just one it have multiple domains and this actually uh live actor it got new domains popping up almost every day just because it SE it's getting to the blocklist and he keeps doing more and more and more uh the top part right here those are um they alternative servers and they are mapped to the orderbox dns.com which was highly abused by many of the malware people for a long time unfortunately uh the way they provide their service doesn't give them the way

to stop or to identify malware actors right away and right down there we see that they build a bigger network based on those couple domains they registered they're just adding couple letters ahead and that's it so if you if we look at that ASN we've see that currently we see just one malicious domain but all the all most of the uh domains that would be registered on that ASN and with matching those two patterns so either uh registered by one of the uh actors's email another actor is right right down here or so what if it registered by this guy or this guy and it matches one of these patterns we can block it right

away but those are dedicated an abuse service and those are dedicated uh accounts that used for multiple scams uh this guy Valera which might be his name uh has couple advertising um companies registered with the same email so we can see it's not something compromised he actually de in them second part is H the one that we got from our active honey pod so you can see here that it looks like the main shadowing right away it has the first uh word that doesn't mean anything then have a legit uh domain underneath uh and uh this domain hosted on that IP but if we take a look on just the second level domain it have the way

different IP if we look who register that we can see that there are a lot other uh domains that are used the same register and email and this is a good indicator that those domains can be compromised most of the time what we've seen they getting com they are moving their attacking infrastructure from domain to domain it takes them about 5 to 3 days and uh if we uh block this ahead of the time even if they are not malicious right now they might be malicious three or 5 days later and down there is a buet proof hosting Uh Russian ASN that host a lot of this domain sh domain shado domains so using investigate and uh our

infrastructure we can get the seat uh no matter from where would it be a thread grid mware Aristotle Honeypot and we can pivot around that seed to find out the bigger infrastructure and the bigger uh indicators of compromise so for the last 90 days those are the highly abused and they have the biggest amount of malicious domains that delivering angler if you look at this one you can see that it located in uh Ukraine and it have really weird name which looks like the name of one of the guy who actually probably uh pretty close to the uh actors or to the authors of that exploit kit and I want to just show we had about 20 minutes left us

that's uh investigate that what we used and you can see I already look it up and that this guy he a s isn't that big but before it didn't have his name however ever he changed it a little bit and the amount of uh bad websites is like 95% so uh some of the domains that are hosted there are just not alive I think if they would be like the malicious domains on this particular ASN would be around 100% okay so then I would like to actually so one of the uh software that we use to analyze big data is U open graphity uh you can access it at openg gravity.com and I would like to

show you a demo how how do we use it so let's start

with uh with open graphity you can anal any data set that comes in a Json format uh for the domains that I analyzed for the IPS I analyzed I took the data from um forgot but I buil the data set and map all the IPS to the ASN and uh let's see how it looks if we open it

so these are all the IPS that are associated with

angler you see there are some nodes that are connected and mopped to the as s and some nodes are not so to make it just uh less or more understandable I try to remove all that stuff and draw a nice picture of Highly abused asense

okay so all the isolated nodes are gone and we can see so just let's add some

colors yeah so open graphity is a ongoing project and we have some bxs um and this is the last presentation it didn't broke yeah sorry for that sometimes happen with live

demonstrations all so let's talk about prevention uh keep that data that is valuable for you backed up all the time please you don't want to pay $500 just for something you already have right uh uh for the companies at this point uh you have to implement uh at least one DNS controller what it would be it's up to you but with the ransomware most of it can be stopped at the DNS level of course if you use layer security it's way better just because the exploit uh chain can be broken at any time and it would stop your uh PC from uh Grand someware patch management it's very important and you know people say that

over and over and over but as you can see yes that's really important if the uh vulnerability is already disclosed the bad guys would make it profitable in less than 3 days so if you think that it can wait no it's not and user education uh with ransomware it's really hard because for the average user like most of the affected websites where CNN.com the angler was uh delivered by the ad banners in the Skype that built in in your OS now it it's really really hard to for end user uh to not get like in not become a big team however some uh basic education uh you know should be implemented uh what user can do like

some of the uh at this point ransomware wasn't spreading all over the network but with the sense Sam and with Loi that start encrypts all the network shares uh it's becoming more and more important for the end user to know what to do in this cases because uh we've been doing the incident report where they got the locky on one PC and the guy was just staring at it not knowing what to do he reported an hour later in an hour the entire network was compromised and the lock encrypted everything it can get to but if it will be immediate reaction it might be stopped to like two or three machines and the price for the ransomware

wouldn't be $177,000 but it would be just 500 for summary uh as we can see the organizations responsible for particular exploit kit uh but there are like just one exploit kit uh there are nuclear exploit kit there are Nino they all shifting toward the ransomware I've seen the most recent Talos log about a nuclear kit it's delivering pure ransomware now it doesn't deliver anything else and uh it will stay here uh as a result they are always ahead of us they always have something new for us to fight with uh the amount of users that impacted is huge findings point out to the uh like the criminal organization that works at a scale of a big

company to monetize that amount of uh Bitcoin that they gather they have to have really really good chain of caching that out and that chain couldn't be just simple of and consist of one two or three people there are probably hundreds people involved in it uh with almost 40% of the users hitting angler being compromised that's pretty bad threat 40% is a lot if we can break it down to like 1 2 or 3% that might be not be we might not talk about that anymore but I don't see that happen any soon the security applications do not quickly recognize ransomware because as I've mentioned before for the antivirus solution or any other solution it

doesn't know if you control that encrypting that going on right now or not and the details are not known to the majority of us just because if it happened to some big company it hasn't it does doesn't need to be uh disclosed as it need to be with u breaches so when companies got hit with that that might just pay Ransom and didn't notify anybody and those bad guys will do it over and over and over and who knows if they wouldn't come back to your company so for the uh forensic people it's hard too because if you don't have the incident response and nobody called you you can just uh get any data or even when you have the

chance to get data they already gone and I think that's

it this is probably a very nice question I'm sorry for this but my understanding is when you get infected with the rund it deletes all your backups and encrypts what's left then if you pay the money then it'll decrypt so so is there a way in the operating system level to detect and uh and basically block encryption software I'm not I don't know about encryption software but you can uh use some kind of BU scenes so for example with the most recent ransomware as Loy it checks uh certain keys in the registry as language for example so if you have that setting already set to like Russian for example you are safe because it wouldn't encrypt

anything so but to break the actual encryption process I don't think there is any kind of solution another problem is that because the uh code is injected on the Fly there are no that many uh solution that can like monitor the Integrity of your memory so yeah otherwise to stop it then just to go for like small parts like registry keys or something else is not a good solution at this point and this is just for one family of ransomware like other families using other techniques and it's really hard to analyze them yes uh to what extent do you think the process of uh that these guys go through and setting up the shadow uh the

domain Shadows is automated now it is yeah it is pretty much because like we can see that the at least the shadow domains are using some kind of generating algorithms and it's it's been around for a while but never been used just for that case okay and they getting away from that just because that anything that uh can be generated would have a seat it just the matter of time and the matter of data we can gather to get that seat but as soon as we discover the seat we can search for the patterns and block those Shadows right away yes uh so with the ransomware that you've seen um the encryption process like how is it doing like file selection

for example or like how long does it take to actually perform the encryption uh so to perform the encryption depends on how many files do you have uh for targets it I usually have the uh Target extensions uh in the malware uh from my experience to encrypt uh 30 GB of data it takes about 15 seconds so and it also depends how fast is your machine I'm pretty sure you will get like the servers in uh the when the Sam samam happened to the hospital uh their entire network got en cryed in less than an

hour all thank you you