Chinese government website compromised, leads to Angler

Chinese government website compromised, leads to Angler

Zscaler, the Internet security company, has noticed a compromised Chinese government website that led to the Angler Exploit Kit with an end payload of Cryptowall 3.0.

The “Chuxiong Archives” website, www.cxda[.]gov.cn, was compromised with injected code, but the compromise does not appear targeted and the site was cleaned up within 24 hours. The Threatlabz team have noticed some recent changes to Angler, as well as the inclusion of newer Flash exploits.

The Zscaler team’s full analysis can be read below:

Introduction

Despite a recent takedown targeting the Angler Exploit Kit (EK), it’s back to business as usual for kit operators. On 30-October-2015, ThreatLabZ noticed a compromised Chinese government website that led to the Angler Exploit Kit with an end payload of Cryptowall 3.0. This compromise does not appear targeted and the compromised site was cleaned up within 24 hours. We have noticed some recent changes to Angler, as well as the inclusion of newer Flash exploits. A set of indicators for this compromise is at the end of this post.

Compromised Site

The “Chuxiong Archives” website, www.cxda[.]gov.cn, was compromised with injected code. The site has a similar lookand feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive, but surprisingly the site was remediated in less than 24 hours. The full infection cycle from compromised site to encrypted payload is shown in the fiddler session below.

Infection cycle
Infection cycle

The injected code was before the opening HTML tag and was heavily obfuscated. The code, shown below, is very similar to other recent compromises we’ve observed and was present on every page of the site, suggesting a complete site compromise.

Chinese government website compromised, leads to Angler
Injected script

Consistent with other recent examples, the injected code appears to target Internet Explorer (IE) since Firefox and Chrome consistently throw errors when attempting to execute the code and no redirection occurs. IE has no issues executing the code, however, which unsurprisingly decodes to an iframe leading to an Angler EK landing page:

Decoded injected code
Decoded injected code

While we did not have access to the server-side code, it likely retrieves landing page URLs from a remote server since we observed iframes leading to multiple different Angler domains within a brief period of time.

Landing Page

The landing page for Angler is immediately recognisable, but with some notable recent changes. For example, instead of using a long block of around seven-character long strings inside divs tag, the newer landing pages use ‘li’ tags and most of the strings are only about two characters long. Additionally, there’s a conspicuous ‘triggerApi’ function toward the top of the main script block:

Chinese government website compromised, leads to Angler
Short strings and triggerApi function

Outside of these changes, the functionality of the landing page appears unchanged, and the goal is naturally to serve up a malicious SWF:

Chinese government website compromised, leads to Angler
Decoded landing page SWF objects

Malicious SWF – CVE-2015-7645

Kafeine already broke the news that Angler is exploiting Flash 19.0.0.207, and we can corroborate that with the samples we’ve observed.

Chinese government website compromised, leads to Angler
Flash 19.0.0.207 being exploited

In fact, we compared the sample from his recent post with one obtained from this infection and the structure is identical, with very few changes in the actionscript. The biggest change we saw was in the embedded binary data.

Chinese government website compromised, leads to Angler
SWF structure, 30-Oct sample on the left, Kafeine’s sample on the right
Chinese government website compromised, leads to Angler
Comparison of binary data, 30-Oct sample on the left, Kafeine’s sample on the right

Upon successful exploit cycle, a new CryptoWall 3.0 variant from the crypt13 campaign is downloaded and installed on the target machine. The image below shows a decrypted Command & Control (C&C) communication message from the CryptoWall variant which also contains the total number of files encrypted on the target system:

Chinese government website compromised, leads to Angler
CryptoWall 3.0 C&C message reporting encrypted file count

Final Thoughts

As stated, this seems to be business as usual for Angler EK operators. While these attacks were not targeted in nature, this is the first instance where we saw EK operators leveraging a government site to target end users. One interesting observation is that we no longer see any Diffie-Helman POST exchange to prevent replaying captured sessions for offline analysis. Additionally, there was a much larger number of C&C servers than we’ve previously observed, and some of the domain names seem to suggest multi-use hosts (e.g.: spam, bitcoin mining, etc). Note that none of the C&C servers are pseudo-randomly generated domains. ThreatLabZ will continue to track new developments with the Angler Exploit Kit.

[su_button url=”https://www.zscaler.com/” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]For more information on Zscaler click here[/su_button]

Georgina Turner image

Georgina Turner

Sales Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Graphic displaying a lockdown solution

Netgenium debuts next gen display and touchscreen technologies

Power-over-Ethernet (PoE) solutions specialist Netgenium will be showcasing its new range of IP…

ICT® Launches New TSL Access Reader Series

Integrated Control Technology (ICT®), a leading manufacturer of intelligent access control and…
Image Provided by Paxton

Paxton Partners with Skills for Security

The security technology manufacturer Paxton is proud to announce a partnership with Skills for Security…
Image Provided by ICT

ICT and Ingram Micro sign distribution agreement MEA

Integrated Control Technology (ICT), award-winning global manufacturer of intelligent electronic access control and security solutions..
Image Provided by Toshiba

Toshiba launches new HDD Innovation Lab

Toshiba Electronics Europe GmbH (Toshiba) has inaugurated a new HDD Innovation Laboratory (HDD Innovation Lab) at its site in Düsseldorf..
Image Provided by Verkada

Verkada Doubles Down on the Channel with Strategic New Hire

Verkada, a leader in cloud-based physical security, today announced the appointment of Micah Deriso as Head of Global Channel…
Image Provided by IPSA

IPSA Appoint Frontline Hero as Ambassador

Abdullah, the courageous security officer praised for foiling a horrific knife attack at Leicester Square, has been appointed as…
Image Provided by Codelocks

New Surface Latch from Codelocks

Codelocks is expanding its Gate Solutions by Codelocks range with the introduction of the new Codelocks’ Surface Latch…
Image provided by Genetec

Nicholas Smith to Lead Genetec UK and Ireland Operations

Genetec, provider of enterprise physical security software, announced the appointment of Nicholas Smith as its new Regional Sales Director…

News Desk

View all the latest, product, project and people news

News Desk

Click Here

Technology News

Keep up-to-date with the latest product innovation

Technology News

Click Here

Industry Sectors

Discover technology in action in all applications

Industry Sectors

Click Here

Enter The Awards

Showcase personal or organisation excellence

Advertise With Us

Reach decision makers and amplify your marketing

Advertise With Us

Click Here
Scroll to Top