Posted by Felix Weyne, February 2016.
Author contact: Twitter | LinkedIn 
Tags: exploit kit, Angler, ransomware, malware analysis
It has been a while since I’ve written my last post, so I decided to do some basic malware analysis on the Angler Exploit Kit. For those who are not familiar with Angler (not to be confused with the angler fish 
): Angler is a kit that is used by cyber criminals to distribute their malware.
The actors behind Angler regularly hack/hijack popular websites -often by making use of vulnerabilities in content management systems such as WordPress- and inject malicious code into them. The code is then served to an innocent visitor of that website, which tries to exploit some known security vulnerabilities in the browser (addons) of the visitor (e.g. Internet
Explorer, Adobe flash, Microsoft Silverlight, …). By exploiting those vulnerabilities, malicious software is installed in the background, without the permission of the user.
Below I’ll be discussing some interesting facts about Angler.
Fact 1: Angler manages to infect more than one million workstations a year
There is a common misconception that a user explicitly needs to download a malicious file in order to get his PC infected. Exploit kits use a technique called drive-by-downloads. With this technique, malicious software can be ran just by opening a website in your browser. Angler is by far the most effective exploit kit that makes use of drive-by-downloads. It manages to give millions of users a headache after visiting an infected website. Below is an example of a Belgian website that is infected with Angler. The HTML code of the website is replaced by obfuscated angler code. After a few milliseconds the code redirects the user to the original website.
Image 1: obfuscated Angler code injected on Brusselstimes.com
The obfuscated angler code serves a flash file that causes a buffer overflow. The buffer overflow causes the PC of the victim to download malware. In my test case ransomware was downloaded. The ransomware encrypted all the documents on my test machine. After a while a blacklist letter was shown. In order to get my files back, I had to pay a ransom. Luckily no ransom had to be paid, given the fact that the infected machine was my malware analysis test virtual machine
. Better luck next time cyber criminals!
Image 2: Angler pushes Cryptolocker. All the files on the system are encrypted until ransom is paid.
Fact 2: Angler uses some advanced anti-analysis techniques
The actors behind Angler love to implement measures to slow down analysis of their techniques. Below I will discuss a few anti-analysis techniques I have come across while I was analyzing Angler.
Code obfuscation & sandbox detection
The (javascript) code that is injected on the hijacked websites, is heavily obfuscated. This means that the code needlessly contains complex constructs, in order to make it more difficult for antivirus software to detect that the code is malicious. Obfuscated code also slows down the security analysts that are trying to identify the goal of the malicious code. I also noticed that Angler implements code that checks if the website is opened in a sandbox. If a sandbox is detected, Angler will not try to exploit the machine. This way, it is harder for security analysts to get a sample of Angler.
Use of time slots
The site that is infected with the Angler exploit kit, only servers the kit once in a while. After the kit has been served to a victim, the subsequent web site visitors do not get the exploit kit.
For my analysis purposes, I use an emulated Angler server. I emulate the Angler server by intercepting the network traffic of an infected machine, and replying it using a python script in a sandboxed Kali Linux environment.
Image 3: emulation of an Angler server on a Kali Linux machine.
Another interesting thing I noticed while analyzing Angler is that the IP addresses of machines that are suspected to be used by analysts are banned . If you visit a few Angler infected websites in a short time frame, your IP gets banned. For reverse engineering purposes, this is a bad thing. In respect to defense purposes this is a great thing: this may be a way to get rid of getting Angler code pushed to your machine 
Below is a screenshot of a packet capture of an Angler infection. The requests to the server are marked in red. The responses of the server are marked in green. You can clearly see that the first response gives me a valid page (marked in black). All subsequent responses give me malformed packets, indicating my IP address no longer got the honor to receive Angler code.
Image four: packet capture of Angler in action. Note the malformed packets and the URL patterns.
It is also interesting to see that Angler tries to emulate legitimate traffic patterns of messaging boards. Angler uses keywords in their URLs such as “viewforum”, “search” and “viewtopic”. Those keywords can also be found in the URLs of messaging boards.
Fact 3: Not everything goes according to plan
I’ll end this post on a funny note . During my analysis, I stumbled on some Angler fails. One of them was that the Angler actors messed up while trying to add their malicious code to a legitimate website. For some reason, the code injection process messed up the webpage terribly. The end result was a webpage full of weird characters. Better luck next time, cyber criminals! 
Image five: Not everything always goes according to plan.