The Angler Exploit Kit is turning into a model for malware rapidly integrating new evasion techniques.
Starting in early June, URL patterns used by the notorious exploit kit have been changing almost daily, coinciding with it pushing Cryptowall 3.0 ransomware. SANS Internet Storm Center handler Brad Duncan, a security researcher with Rackspace, said that current traffic is almost unrecognizable compared to samples from as recent as June 9.
“The changes in URLs patterns for Angler are likely a way to avoid detection by IDS appliances,” Duncan said. “That’s speculation on our part, but it seems like a likely reason for the changes.”
While Angler still pushes out various malware payloads, it seems to have taken a liking to Cryptowall 3.0. The ransomware encrypts files on a victim’s machine, holding them hostage until a ransom of anywhere between $500 to several thousand dollars is paid in Bitcoin and before the decryption key is shared with the victim. The FBI 10 days ago raised an alert on Cryptowall and said that losses related to infections totaled more than $18 million in the U.S.
“Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million,” the FBI advisory said.
Starting in February, Cryptowall 3.0 infections started almost exclusively from exploit kits. Researchers at Cisco reported that the dropper used by Cryptowall 3.0 contained no exploits, meaning that it was no longer being used for propagation. The Angler Exploit Kit stepped up in late May and began moving the ransomware at a heavy clip, along with a simultaneous spam campaign that was also finding some traction.
The profit margins are likely high for the criminals behind these campaigns since they’re investing so heavily in the new URL schemes. Duncan said he noticed subtle changes to URL patterns used in HTTP GET requests for the landing page hosting Angler, but also for requests for the Flash exploit used in the attacks as well as the Cryptowall payload.
For example, between June 9 and 12, the URL strings changed patterns, adding a question mark and a new pattern that matches [wordstring]=[numberstring]. By June 15, Duncan said the landing page request had again changed with variations on random strings, and some numerals spelled out instead. By the next day, the numerals were no longer spelled out in the requests.
“The next day on 2015-06-16, we don’t see any numbers spelled out any more. The patterns went from &one &two &three (and so on) to &[random word],” Duncan said, adding that one day later, there were still more changes to the length of alphabetic characters. As of Wednesday, the requests had completely morphed from the original June 9 sample, with search strings changing to “search?q=” instead of search?[random characters], Duncan said.
This cat and mouse game requires a constant adjustment not only to signatures, but also to Perl Compatible Regular Expressions (PCRE) used to match URL patterns, Duncan said; PCRE are used by Snort signatures in numerous IDS appliances.