Tag Archives: Angler EK Analysis

Angler Exploit kit breaks Referer chain using HTTPS to HTTP redirection

The author(s) behind Angler EK is known to release reliable exploit(s) for flash/IE and to use various techniques to break various logics used by analysis products for the detection. Recently a security researcher blogged about a new technique used by … Continue reading

Posted in Exploit, Exploit Kit, Malware | Tagged , , , , | 1 Comment

Angler EK update

Recent Angler EK uses following keys to decrypt the encrypted binaries. unsigned int keys[4]= {0x39525143, 0x75487832, 0x57645730, 0x79356332}; // IE exploitunsigned int keys[4]= {0x47763879, 0x33767545, 0x66706F58, 0x65443372}; // flash exploit (CVE-2015-0311)

Posted in Exploit, Exploit Kit | Tagged , , | Leave a comment

Angler EK Update

New keys used in Angler EK in recent days. You can use these keys to decrypt the binaries downloaded by various vulnerabilities. unsigned int IE_keys[4]   = {0x4A397544, 0x6B67424F, 0x477A6662, 0x46466D76};    // IE vulnunsigned int Sil_keys[4]  = {0x73556246, 0x344D4A63, 0x4147736E, 0x59664365};     … Continue reading

Posted in Exploit Kit | Tagged , , | Leave a comment

Digging deep into Recent Angler Exploit kit Fileless delivery

Recently ThreatGlass released a PCAP related to Angler Exploit kit from wira-ku.com. Looking into this, Angler EK has changed it’s obfuscation techniques to load it’s dropper from the exploit server. Let’s dig into this. The initial dropper is downloaded before … Continue reading

Posted in Exploit, Exploit Kit, Malware, Malware Analyzer, Shellcode, Windows | Tagged , , , | Leave a comment