- How network traffic flow occurs between a client and a server.
- How certain protocols work and their purpose.
- Type and signature of several malwares.
Identifying malware traffic and analyzing the captured network packets to identify patterns, behaviors, and indicators of compromise (IoCs).
Generally, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or a link in the message to the malware. However, malspam requires some sort of action by the user to be successful ( $${\color{red} (for \space example,\space opening \space an \space attached \space file ) }$$ .
The other method for widespread malware distribution is an $${\color{red}Exploit \space Kit \space (EK)}$$ . EKs are designed to work behind the scenes while a potential victim is browsing the web. An EK does not require any additional action by the end user.
EKs are a sophisticated delivery method. Malware distribution through an EK involves other components in the chain of events that lead to a malware infection.
Here we will focus on $${\color{red} Angler \space EK}$$ , where Angler EK activity targeting computers running Microsoft Windows.
Angler Exploit Kit (EK) is one of the most sophisticated exploit kits in the world, used by cybercriminals to deliver diverse malware to compromised websites and infect victims. Angler EK first appeared in late 2013.
Angler EK’s exploit code and malware payload are highly obfuscated in order to bypass IDS/IPS. The kit uses 302 cushioning and Domain Shadowing to evade detection, and it checks anti-virus software and the virtualized environment before running the exploit.
Angler EK starts with a compromised legitimate website and uses this to redirect its visitors to an actual landing page. HTML iframe can be used to redirect the traffic and make detection more difficult. However, in order to evade detection by signature-based IDS/IPS, more and more redirection methods have recently been used in Angler EK. 302 Cushioning or cushion attack is used to redirect a victim’s browser to a compromised website. Domain shadowing is also used in Angler EK to bypass the domain URL blocklists and make it difficult to create an IOC list.
- NetworkMiner
- Wireshark
- PacketTotal
- VirusTotal
- Brim (Zui)
or
6- will find an obfuscated file named 680VBFhpBNBJOYXebSxgwLrtbh3g6JFUllqksWFSsGshhwsguyNL26MGul2oZ3b8.
Ans: Referer: http[:]//lifeinsidedetroit[.]com/02024870e4644b68814aadfbb58a75bc.php?q=e8bd3799ee8799332593b0b9caa1f426
We know that the FQDN that delivered the exploit kit is qwe.mvdunalterableairreport[.]net and its ip = 92.99.198.158
Will find the redirect URL http[:]//lifeinsidedetroit[.]com/02024870e4644b68814aadfbb58a75bc.php?q=e8bd3799ee8799332593b0b9caa1f426
[from Q(3)] We know that the FQDN that delivered the exploit kit is qwe.mvdunalterableairreport[.]net and its ip = 92.99.198.158
1- Use wireshark filter { http && ip.addr == 173.201.198.128 } will find only two packets select >> follow >> Http Stream
5- use wireshark filter {http && ip.addr == 93.114.64.118} will find only two packets select >> follow >> Http Stream
9- if we used wireshark filter {http && ip.addr == 216.9.81.189} will find the Referer: http[:]//www.earsurgery[.]org/
it is found that the Referer is itself, this mean that first website the Vicitem visited was www[.]earsurgery[.]org
- Finally, the vicitem first visited the legitimate comporomized website "www[.]earsurgery[.]org"
- www[.]earsurgery[.]org Redirected him to http[://]adstairs[.]ro
- http://]adstairs[.]ro] edirected him again to lifeinsidedetroit[.]com]
- lifeinsidedetroit[.]com Redirected him again to qwe[.]mvdunalterableairreport[.]net that delivered the exploit
- Use Wireshark filter {http} and Go to > File > Export Objects > HTTP
- at the search field ==> Text filter: 80
- will find the packet number that delivered the payload with type octet-stream.
- qwe[.]mvdunalterableairreport[.]net:80 and Packet No 2957
- Go to Packet No 2957 that related to qwe[.]mvdunalterableairreport[.]net:80, and > follow > HTTP stream, we can see a large amount of obfuscated text
- Export the objects to find out, if any malicious file has been been sent.
- will find a malware payload being delivered with file named 680VBFhpBNBJOYXebSxgwLrtbh3g6JFUllqksWFSsGshhwsguyNL26MGul2oZ3b8.
[from Q(3)] We know that the FQDN that delivered the exploit kit is qwe[.]mvdunalterableairreport[.]net and its ip = 92.99.198.158, where the Packet No:2957 and Time: 2014-12-04 18:27:36.961555
3- Since the C&C server will be outside the local network, you can narrow down the traffic to external destinations by excluding local IP addresses. Following Wireshark filter will help you identify communications to a remote server.
{ frame.time >= "2014-12-04 18:27:36.961555" && ip.src != 192.168.137.0/24 && ip.dst == 192.168.137.62 && tcp }
Result: at packet No 3111 the local_ip 192.168.137.62 started an TCP connection with the external_ip 209.126.97.209 at time: 2014-12-04 18:27:43.578079, after the exploit kit delivered to the compromized machine with 8 seconds, where the source ip is src:192.168.137.62 and dstination ip is dst: 209.126.97.209
6- Finally: the exploit kit delivered to the compromized machine -----------------------------------> at time: 2014-12-04 18:27:36.961555
TCP connection was established from local_ip 192.168.137.62 to external_ip 209.126.97.209-------> at time: 2014-12-04 18:27:43.578079
Q(10) The malicious domain served a ZIP archive. What is the name of the DLL file included in this archive?
2- will find mime_type:"application/zip" with the ip:192.99.198.158 of website qwe[.]mvdunalterableairreport[.]net that delivered the exploit kit.
Q(11) Extract the malware payload, deobfuscate it, and remove the shellcode at the beginning. This should give you the actual payload (a DLL file) used for the infection. What’s the MD5 hash of the payload?
1- [from Q(3)] We know that the FQDN that delivered the exploit kit is qwe[.]mvdunalterableairreport[.]net at packet No 2957
2- Based on the detection timeframe of the Angler Payload from the previous question, being at time: 2014-12-04 18:27:36.961555, we can actually determine which file is the specific malware payload
3- by downloading all of the files associated with qwe.mvdunalterableairreport.net, will find an Octet Stream file with name:680VBFhpBNBJOYXebSxgwLrtbh3g6JFUllqksWFSsGshhwsguyNL26MGul2oZ3b8.
4- Go To CyberChef, we can see that the string "adR2b4nh" is being repeated in between unique string values.
5- Note!, XOR ciphers can be decrypted by simply applying the XOR cipher again with the given key to remove the cipher.
7- after XOR Operation save the decrypted file, we can then extract the actual payload (DLL file) using binwalk linux tool, by binwalk we can see all the files contained in this file
SEH: "Structured Exception Handler" is a protection mechanism that was implemented to mitigate the abuse of buffer overflows
Stack Cookie (known as "canary") used to detect a stack buffer overflow before execution of malicious code can occur.
Q(14) A Flash file was used in conjunction with the redirect URL. What URL was used to retrieve this flash file?
Ans: The URL used to retrieve flash file is http[://]adstairs[.]ro/544b29bcd035b2dfd055f5deda91d648[.]swf
1- Open up export HTTP objects in Wireshark >> File >> Export Objects >> http >> and look for flashfiles
2- Go to Packet No: 1875 , and select >> http stream >> , Will find [GET /544b29bcd035b2dfd055f5deda91d648[.]swf HTTP/1.1]
will find {exploit was CVE-2013-2551 Internet Explorer exploit lunched from Angler Exploit Kit which tries always to encrypt or obfuscate the payload}
use NetworkMiner tool, and searche by .cer files, then you can see the SSL certificate issuer is Google.
