SECURITY EVANGELIST

Since the Angler exploit kit surfaced in 2013, it’s evolved into a massive threat for users and companies alike. Angler relies on a huge and resilient infrastructure to distribute all sorts of malware, and the exploit kit operations have been quite intense for the past months. But this new upsurge in Angler activity shows that the exploit kit could be getting even stronger.

High concentration of Angler EK domains in Romania



Angler’s success in the cyber criminal community is heavily reinforced by the aggressive tactics that the exploit kit employs. One of these tactics is using a domain generation algorithm to engineer high-volume compromises without being detected by signature-based security products (such as traditional antivirus).

Definition:
Domain generation algorithm (DGA) is a computer program used by various malware families to generate a large number of domains by creating slightly different variations of a certain domain name. The generated domains are used to hide traffic transmitted between the infected machines/networks and the command and control servers.

In the past week, the observed Angler campaigns revealed that a large number of DGA domains are hosted in Romania. It’s no surprise that the malicious actors behind the exploit kit chose to host some of their infrastructure in South-Eastern Europe, since this is often the case with cyber criminals.

This specific Angler campaign that was analyzed also showed that top level .top domains were used in the attacks. Here are some examples:

c2xcn.rf1uq3 [.] top
crzgl.k0dmymw [.] top
ddmgb.rf1uq3 [.] top
e52y8aw.pds5l6a179b [.] top
ktvvkp.pinlbx7 [.] top
l5efi.n1c0z4ft [.] top
l6si4.pkvcmh [.] top

Even though efforts to disrupt Angler’s infrastructure have been made towards the end of 2015, attackers are not planning to give up on their business, because there’s too much money involved:

Security researchers have taken on organised criminal gangs who have been using the notorious Angler Exploit Kit in malware campaigns stealing up to $3 million each month through ransomware attacks.

Source: Tripwire.


Angler targets companies in Northern Europe, exploits Flash and Silverlight



By leveraging their infrastructure, the cyber criminals behind Angler go for the most lucrative targets, which are often located in Northern or Western Europe, or in the US.

This also happened in the case of several Danish companies in the past few days. Attackers added a big chunk of new malicious domains to their attack, including this small section below:

ig4g88.rx9zm [.] top
m4833m.rx9zm [.] top
s79yvn.rx9zm [.] top
ljqre7.shk6ci [.] top
aca.yh3ec79e2 [.] top
nhw.yh3ec79e2 [.] top
oih.yh3ec79e2 [.] top

In this recent campaign, Angler was distributed via malicious web injects in legitimate websites. This is how a drive-by download is created, which is Angler’s favorite way of scattering around.

Definition:
A drive-by download is the unintentional download of a virus or malicious software (malware) onto your system. A drive-by download will usually take advantage of (or “exploit”) a browser, app, or operating system that is out of date and has a security flaw.

The most insidious and dangerous thing about drive-by downloads is that they don’t require any user interaction for the infection to take place. So if an employee in a targeted company visits a website infected with the exploit kit, Angler will first go after vulnerabilities in Adobe Flash Player and Silverlight. And neither of these applications lack in security holes.

If Flash or Silverlight are left out of date, Angler will start feeding the infected PC with ransomware. This time it was Mobef, a new strain of ransomware which is still being analyzed by experts. Full data encryption follows, but not if the Windows-based PC comes from Russia or Kazakstan. Mobef will check if the keyboard layout is Russian, and, if so, it won’t proceed to encrypt the data on the affected PC.

Fortunately, Mobef detection rates are quite good: 31/55 on VirusTotal.

Mobef detection rates April 22 2016

Exploit kit as-a-service leverage more ransomware and click-fraud to increase profits



There’s no doubt that Angler is the most widely used commercial exploit kit-as-a-service today. In fact, the numbers show that Angler accounted for over 80% of the active drive-by attacks observed in the past month! The main objectives for the notorious exploit kit are to infect as many computers as possible with infostealers and ransomware, to make money and increase their resources further.

Definition:
Exploit kits as-a-service are a recent business model employed by cyber criminals in which they create, manage and sell or rent exploit kits which are accessible and easy to use in cyber attacks. Exploit kits-as-a-service don’t require much technical expertise to be used, they are cheaper (especially if rented), they’re flexible and can be packed with different types of malware, offer broader reach, are usually difficult to detect and can be used to exploit a wide range of vulnerabilities. This business model makes it very profitable for exploit kit makers to sell their malicious code and increase their revenues.

An even newer Angler campaign uses the malicious web-injects mentioned previously to infects Windows-based PCs with a combination of click-fraud malware (Bedep) and a CryptXXX, a brand new ransomware strain.

The components of the attacks have low or very low antivirus detection:

Angler EK Flash exploit detection rate: 1/56 on VirusTotal:


angler detection rate April 26 2016

Bedep antivirus detection rate: 11/56 on VirusTotal.

Bedep detection rate April 27 2016

CryptXXX ransomware detection rate: 5/56 on VirusTotal.

CryptXXX detection rates April 26 2016

This particular attack is carried out by embedding obfuscated JavaScript code into Apache web servers and moving the traffic from those servers to domains that spread Angler. Here’s a small selection of these domains:

edgemake.ansonslaw [.] co.uk
palpavat.ansonslaw [.] co.uk
zdyskredytujeethnicit.ansonslaw [.] co.uk
oralement.ansonslaw [.] com
boekensteunaufgefis.ansonslaw [.] com

This attack also uses domain shadowing and aims to exploit vulnerabilities mainly in Adobe Flash Player, which had 79 vulnerabilities so far this year alone.

Definition:
Domain shadowing is a malicious tactic used by cyber criminals to build their infrastructure and launch attacks while remaining undetected. First, attackers steal and gather credentials for domain accounts. Using these stolen credentials, they log into the domain account and create subdomains which redirect traffic towards malicious servers, without the domain owner having any knowledge of this. Domain shadowing allows cyber attackers to bypass reputation-based filters and pass their malicious traffic as safe.

Bedep is then dropped on the infected server. What Bedep does is open a backdoor on the compromised server and redirect the traffic to Angler-laden pages by manipulating the contents of the users’ browsers. Pornographic content is mainly used for this attack, coupled with click-fraud, which promises to reward the user financially if he/she clicks on banners on dubious websites. Click-fraud itself can also lead to additional malware being downloaded onto the already infected computer.

Some of these strange websites include the following examples:

mymomwantsflowers [.] com
lolworldclassid [.] com
restore vision-cool [.] mobi
rerobloketbo [.] com
tonthishessici [.] com

To prove once again that Angler is used in sophisticated attacks, you should know that, in the next stage, CryptXXX ransomware is fed to the infected PC. Data encryption ensues, and the following files are also dropped on the computer:

de_crypt_readme.bmp
de_crypt_readme.txt
de_crypt_readme.html

These files include the necessary information for the victim to pay the ransom and get the decryption key.

cryptxxx ransom payment instructions

Fortunately, cyber security experts have also moved fast and Kaspersky promptly released a decryption tool for CryptXXX, just a few days after the ransomware emerged.

In addition to encrypting the files on the PC, CryptXXX also exfiltrates data such as FTP and SSH usernames and passwords.

Unfortunately, as previously mentioned, antivirus detection for the exploit, Bedep and CryptXXX is quite low. Used together, they make the attack powerful and severely damaging.


Conclusion


Once again, Angler shows off its capability to deliver variety of payloads, from ransomware (such as CryptXXX or CryptoWall 4.0) to backdoor Trojans and infostealers. Since this exploit kit is an unnerving threat to users and companies everywhere, the first step in protecting against it is to understand how it works and what it can do.

* This article features cyber intelligence provided by CSIS Security Group researchers.

Ultimate Guide to Angler Exploit Kit
2016.05.18 SLOW READ

The Ultimate Guide to Angler Exploit Kit for Non-Technical People [Updated]

Angler Exploit Kit Infrastructure Analysis
2016.02.16 QUICK READ

Angler Exploit Kit Infrastructure Analysis – the Rundown You Need to Read

Exploit Kits as a Service
2016.01.18 SLOW READ

Exploit Kits as a Service – How Automation Is Changing the Face of Cyber Crime

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
170 queries in 4.177 seconds