Angler Exploit Kit Infrastructure Analysis – the Rundown You Need to Read
How cyber criminals grow their distribution network and how you can avoid their malicious reach
Angler has been a recurring and hard-hitting threat for the past year. Over 350 domains related to the Angler exploit kit infrastructure were blocked only yesterday. This analysis of the Angler EK activity reveals the most vulnerable app that Angler exploits and other relevant insights that can help you enhance your protection against it. Security researchers have been actively monitoring the Angler infrastructure to identify patterns that could help vulnerable victims increase their defenses. The exploit kit has been especially active in the past 6 months, when it incorporated new malware types extremely fast. Such an example is when Angler started spreading CryptoWall 4.0 a very short while after the new ransomware type emerged. Angler caused a huge amount of drive-by attacks that forcibly fed malware – financial, data-stealing or ransomware – to thousands of computers worldwide. Victims lost data and money, were extorted and discovered how vulnerable their systems were, unfortunately when it was too late to do anything about it. Companies also suffered the consequences of Angler’s aggressive capabilities, showing a need for better patch management and proactive security. From the analysis, we saw that Angler’s favorite target is Adobe Flash Player, the main culprit for so many automated attacks against computers running Windows. This observation is consistent with other investigations into Angler, which we presented in detail when we explained the exploit kit for everyone to understand. 
The cyber criminals behind Angler moved dynamically through their two core techniques: domain hijacking and domain shadowing. This allowed them to constantly bring in new servers and IP addresses that could strengthen and grow their distribution network. Below, you can see a compiled a list of Angler exploit kit servers that were delivering malicious attacks against random targets at the time this article was published. The servers mentioned below host, on average, 13 malicious domains that all work as tier-1 Angler EK gateways. Of course, the sample below is just a small part of the infected servers.
One can roughly divide these servers into two categories:
1. Domains created with the purpose of delivering payloads. Here is a sample of active IP addresses hosting the dedicated Angler domains (sanitized by Heimdal Security): 191.96.66 [.] 171 191.96.66 [.] 195 191.96.66 [.] 207 2. Legitimate domains which have been hijacked and subjected to domains shadowing. Below you can find a range of active domains from this type of Angler exploit kit servers (sanitized by Heimdal Security). Note the use of the top-level .top domains. vd7gww.eexih [.] top ljsqt3.eniap [.] top l32frsk.nhvvhd [.] top joruh2n.xgwlff [.] top cdlqq15.fdfwish [.] top ceo2d8i.rpduad3 [.] top vo1l.fatzvym8 [.] top d2gw8.q0o4rg9vg3 [.] top gtx.r6xpp036l9 [.] top lf6.r6xpp036l9 [.] top zao.r6xpp036l9 [.] top gcxvf.veppdph1bh [.] top v56j.vp5b245181m [.] top Unlike the dedicated domains and servers reproduced above, more than 75% of Angler activity is based on hijacked domains and domain shadowing. Some of the IP addresses uses as hosts for this type of Angler exploit kit traffic delivery are listed below (sanitized by Heimdal Security): 195128125 [.] 208 69175.62 [.] 134 209126109 [.] 200 91221.36 [.] 243 194.1.238 [.] 203 The use of hijacked domains and usage of the domain shadowing technique are obvious when looking at a sample of the domains pointing to one of the IP addresses mentioned above (sanitized by Heimdal Security): swapdiskcontortionist.korepropertygroup [.] com.au Suben-geblikoogde.w3dding [.] com wallenius.gegillam [.] com lammigstelandtjo.poolsherpa [.] com desbandada.thedawnpaul [.] com soldatoinbezitstelling.sixdegsnorth [.] com pacificcadcam [.] com ftp.pacificcadcam [.] com abondadamente.tampabayboxing [.] com aangelengde.aarpcedarpark [.] org gw7edelmuetiger.clearmaxpool [.] info eerstejaarsclubs.clearmaxpool [.] info forsvundwoerterl.legacyinsurance [.] agency kinderleichtenerepalme.legacyinsurance [.] agency As a consequence, more than 350 domains were blocked yesterday alone, which were related to Angler exploit kit activity. To illustrate how geographically widespread these servers are (with a small concentration in the Netherlands), here is a fresh heatmap of core centers in the Angler exploit kit infrastructure: 
Unfortunately, antivirus detection is generally low in this type of attack, which poses a significant threat to businesses and public institutions in Europe and beyond. We will soon publish an overview of proactive security measures that companies and public institutions can implement to protect themselves against the Angler exploit kit and the malware it spreads, so keep an eye on the blog. *This article features cyber intelligence provided by CSIS Security Group researchers.
