When e2e-assure discovered a suspicious webpage had been visited by a host on a client’s network we decided to analyse the script contained within the webpage to find out its functionality. What we discovered was a landing page used by the sophisticated exploit kit ‘Angler’…
This blog post details the process of de-obfuscation and analysis carried out against a copy of a malicious webpage in order to reveal the intent of the script lurking within it.
Analysing the malicious page
The HTML Code
The html code for the page in question had several interesting features:
- English-language text from Jane Austen’s ‘Sense and Sensibility’ inserted into seemingly random HTML elements tags
- Paragraphs of encrypted text
After de-obfuscation, the purpose of the script was made much clearer and comments were added to the script as the analysis progressed:
- An apparently unused function at the top of the section
- A ‘core section’ with the purpose of decrypting the encrypted text paragraphs in the document body, which then used the ‘appendChild’ method to add them to the main document
- An array, containing encrypted unknown data
- It contained a file-checking function, which checked for common anti-virus programs installed on the system
- It checked for a Kaspersky virtual keyboard (raising suspicions the final payload might include a key logger program– a virtual keyboard might interfere with the function of a key logger program)
- It created and opened an Adobe Flash Player object, delivering a presumably corrupted movie file from a known malware site
This ‘Angler’ exploit kit was attempting to use a vulnerability (patched in July 2015) which is documented on Microsoft TechNet
The webpage accessed by a user of our services contained code used by the ‘Angler’ exploit kit. This kit has been previously used to deliver payloads such as the Cryptowall ransomware – a nasty piece of malware detailed on BleepingComputer
Once again, this illustrates the importance of keeping operating systems up-to-date and patched. The witnessed attempts to legitimise and hide the functionality of this landing page shows clear intent by the developer to circumvent traditional signature-based intrusion prevention and endpoint protection controls.
Preventing infection from Exploit Kits
There are a number of basic steps that can be taken to help prevent Exploit Kits like Angler from introducing malware into your network:
Keep operating systems and applications up-to-date
Exploit Kits target software vulnerabilities. Keep operating systems and key applications like Flash, Java and browsers up-to-date. There are a number of applications commercially available that complement OS vendors’ own update systems to deploy third-party software updates including Flash, Java etc. and report on non-compliant systems.
Only use privileged accounts where necessary
It is recommended to use privileged accounts for system administration tasks only and use a separate, lower-privilege account for day-to-day tasks. Malware will commonly run with the privilege-level of the currently-logged-on user. If that user has administrative privileges, the malware has unrestricted access to key areas of the system to establish persistence and spread through a network – especially important when dealing with ransomware.
Ensure Endpoint Protection and Intrusion Prevention controls include web-based protection functionality and are configured to receive regular signature updates
Exploit Kit landing pages have unique signatures and can be detected by anti-malware and anti-intrusion controls that are aware of these signatures. Landing pages are becoming more sophisticated in their obfuscation, but client-based intrusion prevention and endpoint protection modules can still prevent exploitation before the payload is downloaded, providing web-based detection is active and up-to-date.