The Return of Angler EK: Chinese Website Redirects to Cryptowall 3.0

Written by

Despite the recent attempt to take down the Angler Exploit Kit, a Chinese government website recently was compromised, exploiting Flash and directing users to the CryptoWall 3.0 payload.

Researchers at Zscaler said in an analysis that it's back to business as usual for kit operators. Last week, ThreatLabZ noticed a compromised Chinese government website that was directing visitors to ransomware. The "Chuxiong Archives" website, www.cxda[.]gov.cn, was compromised with injected code. The site has a similar look and feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive.

The compromised site was cleaned up within 24 hours, but the situation alerted Zscaler to recent changes to Angler, as well as the inclusion of newer Flash exploits.

“The injected code was before the opening HTML tag and was heavily obfuscated,” researchers noted. “The code, shown below, is very similar to other recent compromises we've observed and was present on every page of the site, suggesting a complete site compromise.”

Consistent with other recent examples, the injected code appeared to target Internet Explorer (IE)—the use of Mozilla Firefox and Google Chrome consistently resulted in errors when attempting to execute the code—and no redirection occurred.

“IE has no issues executing the code, however, which unsurprisingly decodes to an iframe leading to an Angler EK landing page,” Zscaler said. “While we did not have access to the server-side code, it likely retrieves landing page URLs from a remote server since we observed iframes leading to multiple different Angler domains within a brief period of time.”

The landing page for Angler is immediately recognizable, but with some notable recent changes.

“For example, instead of using a long block of around seven-character long strings inside divs tag, the newer landing pages use 'li' tags and most of the strings are only about two characters long,” researchers explained. “Additionally, there's a conspicuous 'triggerApi' function toward the top of the main script block.”

In fact, we compared the sample from his recent post with one obtained from this infection and the structure is identical, with very few changes in the actionscript. The biggest change we saw was in the embedded binary data.

Upon successful exploit cycle, a new CryptoWall 3.0 variant from the crypt13 campaign was downloaded and installed on the target machine.

“While these attacks were not targeted in nature, this is the first instance where we saw EK operators leveraging a government site to target end users,” Zscaler researchers said. “One interesting observation is that we no longer see any Diffie-Helman POST exchange to prevent replaying captured sessions for offline analysis. Additionally, there was a much larger number of C&C servers than we've previously observed, and some of the domain names seem to suggest multi-use hosts (e.g.: spam, bitcoin mining, etc). Note that none of the C&C servers are pseudo-randomly generated domains.”

What’s hot on Infosecurity Magazine?