Angler Exploits flash 21,0,0,213 sending URSNIF


NOTES:
ActionScript is a programming language used for the Flash Player runtime environment. Angler Exploit Kit is now using Actionscript // 32 to exploit flash 21,0,0,213. On my first run at this site using Flash version 19,0,0,245 Angler used Actionscript // 13 and did not cause an infection chain. On my second run using Flash version 21,0,0,213 Angler used Actionscript // 32 to cause this infection chain. I have also seen a similar change in Neutrino Exploit Kit using Actionscript // 32 when exploiting Flash version 21,0,0,213.

ASSOCIATED DOMAINS:

  • 85.93.0.81 – bujsexy.tk – EITEST GATE
  • 185.141.27.170 – f17.nvytwirvb.top – Angler LANDING PAGE
  • 128.183.114.107 – nssdc.gsfc.nasa.gov – Ursnif CONNECTION CHECK
  • 158.69.183.24 – evtwofromdamagemost.pw – GET /images/ – Ursnif POST INFECTION TRAFFIC
  • 158.69.183.24 – evtwofromdamagemost.pw – POST /images/ – Ursnif POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST Gate and Angler Exploit Kit landing page

 

Shown above: Using Wireshark filter “Follow Stream” on the EITEST gate shows script redirecting to Angler EK landing Page

 

Shown above: Packets 3050 and 3530 shows EITEST gate, Packet 3972 shows Angler exploiting flash and packet 4324 shows Angler EK sending malicious payload masked as an “application/x-shockwave-flash” file

 

Show above: Extracting Flash file Using Wireshark File => Export Objects => HTTP to examine meta data. Saved file as flash2.swf. Examined meta data using (http://www.nowrap.de/flare.html)

 

Shown above: Flash meta data from first run at compromised site using Flash version 19,0,0,245 shows Angler using Actionscript // 13

 

Shown above: Flash meta data from second run at compromised site using Flash version 21,0,0,213 shows Angler using Actionscript // 32

 

Shown above: URSNIF connection check to .nasa.gov and post infection traffic

 

Shown above: URSNIF data exfiltration in .bin file

 

MALICIOUS PAYLOAD SENT BY ANGLER EK: