Angler Exploit Kit Infrastructure Analysis – the Rundown You Need to Read

Angler has been a recurring and hard-hitting threat for the past year. Over 350 domains related to the Angler exploit kit infrastructure were blocked only yesterday. This analysis of the Angler EK activity reveals the most vulnerable app that Angler exploits and other relevant insights that can help you enhance your protection against it.

Security researchers have been actively monitoring the Angler infrastructure to identify patterns that could help vulnerable victims increase their defenses. The exploit kit has been especially active in the past 6 months, when it incorporated new malware types extremely fast. Such an example is when Angler started spreading CryptoWall 4.0 a very short while after the new ransomware type emerged.

Angler caused a huge amount of drive-by attacks that forcibly fed malware – financial, data-stealing or ransomware – to thousands of computers worldwide. Victims lost data and money, were extorted and discovered how vulnerable their systems were, unfortunately when it was too late to do anything about it.

Companies also suffered the consequences of Angler’s aggressive capabilities, showing a need for better patch management and proactive security.

From the analysis, we saw that Angler’s favorite target is Adobe Flash Player, the main culprit for so many automated attacks against computers running Windows. This observation is consistent with other investigations into Angler, which we presented in detail when we explained the exploit kit for everyone to understand.

The cyber criminals behind Angler moved dynamically through their two core techniques: domain hijacking and domain shadowing. This allowed them to constantly bring in new servers and IP addresses that could strengthen and grow their distribution network.

Below, you can see a compiled a list of Angler exploit kit servers that were delivering malicious attacks against random targets at the time this article was published. The servers mentioned below host, on average, 13 malicious domains that all work as tier-1 Angler EK gateways. Of course, the sample below is just a small part of the infected servers.

One can roughly divide these servers into two categories:

1. Domains created with the purpose of delivering payloads.

Here is a sample of active IP addresses hosting the dedicated Angler domains (sanitized by Heimdal Security):

191.96.66 [.] 171
191.96.66 [.] 195
191.96.66 [.] 207

2. Legitimate domains which have been hijacked and subjected to domains shadowing.

Below you can find a range of active domains from this type of Angler exploit kit servers (sanitized by Heimdal Security). Note the use of the top-level .top domains.

vd7gww.eexih [.] top
ljsqt3.eniap [.] top
l32frsk.nhvvhd [.] top
joruh2n.xgwlff [.] top
cdlqq15.fdfwish [.] top
ceo2d8i.rpduad3 [.] top
vo1l.fatzvym8 [.] top
d2gw8.q0o4rg9vg3 [.] top
gtx.r6xpp036l9 [.] top
lf6.r6xpp036l9 [.] top
zao.r6xpp036l9 [.] top
gcxvf.veppdph1bh [.] top
v56j.vp5b245181m [.] top

Unlike the dedicated domains and servers reproduced above, more than 75% of Angler activity is based on hijacked domains and domain shadowing. Some of the IP addresses uses as hosts for this type of Angler exploit kit traffic delivery are listed below (sanitized by Heimdal Security):

195128125 [.] 208
69175.62 [.] 134
209126109 [.] 200
91221.36 [.] 243
194.1.238 [.] 203

The use of hijacked domains and usage of the domain shadowing technique are obvious when looking at a sample of the domains pointing to one of the IP addresses mentioned above (sanitized by Heimdal Security):

swapdiskcontortionist.korepropertygroup [.] com.au
Suben-geblikoogde.w3dding [.] com
wallenius.gegillam [.] com
lammigstelandtjo.poolsherpa [.] com
desbandada.thedawnpaul [.] com
soldatoinbezitstelling.sixdegsnorth [.] com
pacificcadcam [.] com
ftp.pacificcadcam [.] com
abondadamente.tampabayboxing [.] com
aangelengde.aarpcedarpark [.] org
gw7edelmuetiger.clearmaxpool [.] info
eerstejaarsclubs.clearmaxpool [.] info
forsvundwoerterl.legacyinsurance [.] agency
kinderleichtenerepalme.legacyinsurance [.] agency

As a consequence, more than 350 domains were blocked yesterday alone, which were related to Angler exploit kit activity. To illustrate how geographically widespread these servers are (with a small concentration in the Netherlands), here is a fresh heatmap of core centers in the Angler exploit kit infrastructure:

Unfortunately, antivirus detection is generally low in this type of attack, which poses a significant threat to businesses and public institutions in Europe and beyond.

We will soon publish an overview of proactive security measures that companies and public institutions can implement to protect themselves against the Angler exploit kit and the malware it spreads, so keep an eye on the blog.

*This article features cyber intelligence provided by CSIS Security Group researchers.