Angler Exploit Kit and CryptoWall 3.0 Incident Response
Angler Exploit Kit Attack Vector
We have seen a huge rise in the Angler Exploit Kit serving up CryptoWall 3.0 in the past few weeks encrypting peoples file servers and forcing them to restore from backups to get rid of the infection. Nobody has resorted to paying the ransom which is asked of them.
The infection vector looks similar to the diagram displayed below:
CryptoWall v 3.0 Ransomwarev3
Steps to infection:
- User visits a website.
- The website is serving up the Angler Exploit Kit regardless of current patch level.
- A request with some queries are sent back to the C&C.
- The client then receives a flash zero day dropped to the machine currently serving up CryptoWall 3.0.
- Client receives a notification that files are encrypted and a ransom is asked, the following files will appear on your local and shared network drives HELP_DECRYPT.txt, HELP_DECRYPT.PNG, HELP_DECRYPT.html.
A list of the file extensions targeted are below:
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
There are many other attack vectors such as double-clicking on and opening an email attachment, clicking on a link, a malicious website, a legitimate website that has been hacked or getting infected from an advertising network to name a few but the most common at the moment are the flash zero day’s which are served up from the Angler Exploit Kit on a legitimate website. Email is also a huge vector for infection and if you receive an email which has an attachment or a link to a missed DHL or FedEx shipment for example you should delete the email, especially if you weren’t expecting it!
Some clients may also infect themselves by clicking on a website pop up so that they can view content on a website. A good example of this is a fake YouTube video of some cat’s doing very silly things which require you to install the fake malicious plug-in to update your Flash and view the video, who doesn’t love silly cats?
The Angler Exploit Kit has been turned into a model which rapidly integrates new zero days almost as soon as they have been released and even with the latest up to date version of Flash or Java for example you actually don’t stand a chance. Even while assisting in Incident Response for certain businesses I have noticed a change in both the method of communication between the client and the C&C differ greatly as do the URL’s they use. It is currently a never ending game of cat and mouse where the AEK seems to be ahead of the curve and already evading whatever is currently detecting it and due to this it is common for the signatures to miss the latest variant.
I have found web domains are a very good way to hunt CryptoWall 3.0 after an infection to see if any other clients have been compromised. Say for example your client was infected at 13:24 on the July 14th, all you have to do is look for access to any websites or IP addresses during that time period to help in your investigation from that client machine.
If you notice accesses to a domain which may not necessarily look suspicious (for example pktxxxx.nl), you can check it very easily using Virustotal’s URL advisor:
You can then also very easily check your logs or traffic for that period and see if any other machines on your network have accessed this site and have also been infected.
If you get a hit with Virustotal there is a good chance that by Googling the domain or IP address next within quotes “domain.com” you will see some information that will back this up with a heading like below:
Google Angler EK
While this is a manual process it is an excellent way to discover the initial vector from which CryptoWall 3.0 has been delivered to the client system.
An example of some of the information seen form a recent infection can be seen below:
In this example the “POLICY Outdated Windows Flash Version IE” signature alerted me to look a bit deeper at this triggered alert as there were no signatures triggering for the latest version of the Angler Exploit Kit or CryptoWall at this time, expanding further on this it lead me to a domain which Virustotal confirmed was serving up the Angler Exploit Kit as it was flagged as malicious and linked to the Angler Exploit Kit.
The forum has a few resources on this from a brief overview of ransomware to tips on hunting down the source of infection on your network, if you are having difficulty tracking down a Ransomware infection try the tips and you will hopefully get to the bottom of things.
Finally, do not forget to make regular backups!
NetFort Support Team