Angler Exploit Kit, Bedep, and CryptXXX, (Sat, Apr 23rd)

Introduction

On Friday 2016-04-15, Proofpoint researchers spotted CryptXXX [1], a new type of ransomware from the actors behind Reveton. CryptXXX is currently spread through Bedep infections sent by the Angler exploit kit (EK). So far, Ive only seen Bedep send CryptXXX after Angler EK traffic caused by the pseudo-Darkleech campaign." />

CryptXXX infections have their own distinct look." />

Bedep recently improved its evasion capabilities [3]. Its being sent by one of the most capable EKs on the criminal market, and now were seeing a new type of ransomware. Lets take a look at traffic from this Angler EK/Bedep/CryptXXX combo.

Details

Below is an image of traffic filtered in Wireshark from an Angler EK/Bedep/CryptXXX infection on 2016-04-23." />

The first HTTP request is for the compromised website. Next, we see the following indicators of compromise (IOCs):

• 188.138.125.86 port 80 - bladjie.esteroscreenrepair.com - Angler EK
• 104.193.252.241 port 80 - qrwzoxcjatynejejsz.com - Bedep post-infection traffic
• 217.23.6.40 port 443 - CryptXXX ransomware callback traffic (encrypted)
• 93.190.141.27 port 80 - cetinhechinhis.com - Traffic from the click-fraud malware
• 95.211.205.218 port 80 - tedgeroatref.com - Traffic from the click-fraud malware
• 104.193.252.236 port 80 - rerobloketbo.com - Traffic from the click-fraud malware
• 162.244.34.11 port 80 - tonthishessici.com - Traffic from the click-fraud malware
• 207.182.148.92 port 80 - allofuslikesforums.com - Traffic from the click-fraud malware

As usual with the pseudo-Darkleech campaign, we find a distinctive pattern of injected script in a page from the compromised website." />
Shown above: Start of injected pseudo-Darkleech script sent by the compromised site.

Aside from a few URL pattern changes, Angler EK remains recognizable. However, Angler EK now masquerades its payload as a Flash file [4]. But its not actually Flash. Its the same kind of encrypted payload data as before, just disguised as a Flash file. As always, this gets decrypted on the victim" />
Shown above: Angler EK masquerading the encrypted payload as a Flash file.

As Proofpoints blog post already noted, CryptXXX uses a custom protocol on TCP port 443 for its callback traffic." />

Since this is a fileless infection (an old Angler trick), Bedep is stored in memory. You wont find it on the infected host. But the traffic always provides clues. When looking at the traffic in Wireshark, use File -- Export Objects -- HTTP. In that list, youll see where Angler EK sends the encrypted Bedep payload (disguised as a 775 kB Flash file)." />

Artifacts left behind on the infected Windows host include:

• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a
• C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\msvcp60.dll
• C:\ProgramData\3A1DC4C4719C.dat
  
• C:\Users\Public\Music\Sample Music\de_crypt_readme.bmp
• C:\Users\Public\Music\Sample Music\de_crypt_readme.html
• C:\Users\Public\Music\Sample Music\de_crypt_readme.txt
• C:\Users\Public\Pictures\Sample Pictures\de_crypt_readme.bmp
• C:\Users\Public\Pictures\Sample Pictures\de_crypt_readme.html
• C:\Users\Public\Pictures\Sample Pictures\de_crypt_readme.txt
• C:\Users\Public\Videos\Sample Videos\de_crypt_readme.bmp
• C:\Users\Public\Videos\Sample Videos\de_crypt_readme.html
• C:\Users\Public\Videos\Sample Videos\de_crypt_readme.txt
• C:\Users\[username]\AppData\Local\Temp\{F4DD9BAF-BD38-4055-90EE-07C071479B6A}\api-ms-win-system-acproxy-l1-1-0.dll

The top group is related to click-fraud malware. The bottom group is related to CryptXXX ransomware. Both were saved as DLL files.

Final words

This diary doesnt reveal anything new for Angler EK/Bedep/CryptXXX. However, I believe this combination is a significant development in EK-sourced ransomware. It deserves more scrutiny. Hopefully, repeated exposure will keep everyone aware of this continuing threat.

Pcap and malware for todays diary can be found here. Earlier examples are available at:

• http://malware-traffic-analysis.net/2016/04/18/index.html
• http://malware-traffic-analysis.net/2016/04/20/index.html
• http://malware-traffic-analysis.net/2016/04/22/index.html

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler
[2] http://malware-traffic-analysis.net/2016/04/23/index.html
[3] http://malware.dontneedcoffee.com/2016/04/bedepantiVM.html
[4] https://twitter.com/kafeine/status/718449401396654080

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.