Detection and Analysis of the Angler Exploit Kit

Summary:

This document outlines an incident involving a ransomware infection called Cryptolocker, which was detected through potential malware activity flagged by HP ESP Global Services. After confirming the infection as caused by the Angler Exploit Kit, it was discovered that the user accessed a compromised hotel website, likely through JavaScript from a compromised site or redirect, leading to exploitation of Flash vulnerabilities on the web page. The exploit kit delivered a payload, presumably including Cryptolocker ransomware, which encrypted files with the .ECC extension and displayed a pop-up on the desktop. Measures were in place to prevent access to a ransom note, possibly through ArcSight Content using specific patterns associated with Angler Exploit Kit.

Details:

This document discusses a situation involving potential malware activity detected by an analyst at HP ESP Global Services, which was later confirmed as a ransomware infection caused by the Angler Exploit Kit. An exploit kit is software designed for launching multiple attacks on various vulnerabilities, often targeting web browser-accessible applications and exploiting client-side vulnerabilities. Ransomware is malicious software that restricts access to the infected computer system and demands payment (ransom) in exchange for unlocking it; some forms of ransomware encrypt files or simply lock the system with a message urging payment. The scenario involved an alert triggered via ArcSight ESM indicating possible malware traffic from a user. The analyst conducted an initial investigation, which led them to conclude that the activity was likely due to the Angler Exploit Kit infecting the user's computer through a compromised site or redirect. Further confirmation came from discussions with the affected user. The alert rule condition identified suspicious activities in the form of a user-agent string, which is used to track and analyze internet traffic. The infection origin was determined to be at the start of the infection, likely from a compromised site or through a redirection. This analysis helps identify potential threats and aids in preventing future malware infections using similar methods. This text discusses an incident involving a user who experienced a CryptoLocker ransomware infection on their system. The CryptoLocker virus displayed a pop-up on the user's desktop and encrypted all files with the .ECC extension, appending "HELP_RESTORE_FILES" to each folder. Investigations revealed that the initial infection vector was likely generated by the Angler Exploit Kit. This exploit kit is associated with delivering CryptoLocker ransomware. The user had browsed a legitimate hotel website, which was compromised and redirected to an exploit kit landing page through JavaScript loaded from farmersdaughterhotel<.>

com. The exploited Flash vulnerability on the web page allowed for automatic download and execution of a Flash file, likely part of the Angler Exploit Kit's activities. This text appears to be a technical summary or report related to a cybersecurity incident involving ransomware called Cryptolocker. Here's a breakdown of the key points mentioned in the text: 1. **Cryptolockerransomwarepayload download**: The document refers to the act of downloading a payload associated with the Cryptolocker ransomware, which is a type of malware known for encrypting users' files and demanding ransom in exchange for the decryption key. 2. **IP Geo location service**: This suggests that there was an attempt to track or locate the IP address from which the infection occurred, possibly using a geolocation service to pinpoint the geographical location of the attacker. 3. **Tor (tor2web) Site**: The mention of Tor and tor2web indicates that part of the malicious activity involved accessing the dark web through anonymizing services like Tor. This is often used for activities where privacy is desired, such as concealing one's online identity or location from authorities. 4. **Ransom Note (blocked)**: It seems that an attempt was made to access a ransom note, which typically contains instructions on how to pay the ransom and possibly some demands from the attackers. However, this action was blocked, implying that measures were in place to prevent users from engaging with the threat actors directly. 5. **ArcSight Content**: The document seems to be part of a larger security analysis tool or system, specifically ArcSight, which is likely used for managing and monitoring network traffic and detecting suspicious activities. This could include using specific patterns (EK string) to identify malware variants like Cryptolocker. 6. **Angler EK string pattern**: This refers to a specific pattern or signature that was used by the malware to identify instances of Angler Exploit Kit, which is another type of malware known for delivering various types of ransomware, including Cryptolocker. 7. **Copyright Notice**: The document includes several copyright notices from Hewlett-Packard Development Company, L.P., indicating that this information is proprietary and likely part of a formal report or analysis conducted by the company's security team in response to the threat posed by Cryptolocker. In summary, this text appears to be an internal technical summary detailing the investigation and measures taken against the Cryptolocker ransomware, including efforts to locate the source IP address, access hidden web services like Tor, and detect patterns associated with specific malware kits used in attacks. The inclusion of ArcSight content suggests that these findings were part of a broader effort to enhance cybersecurity defenses against such threats.