Security Alert: Angler EK Accounts for Over 80% of Drive-by Attacks in the Past Month
Cyber criminals’ favorite exploit kit is wreaking havoc across the web
Since the Angler exploit kit surfaced in 2013, it’s evolved into a massive threat for users and companies alike. Angler relies on a huge and resilient infrastructure to distribute all sorts of malware, and the exploit kit operations have been quite intense for the past months. But this new upsurge in Angler activity shows that the exploit kit could be getting even stronger.
High concentration of Angler EK domains in Romania
Angler’s success in the cyber criminal community is heavily reinforced by the aggressive tactics that the exploit kit employs. One of these tactics is using a domain generation algorithm to engineer high-volume compromises without being detected by signature-based security products (such as traditional antivirus).
In the past week, the observed Angler campaigns revealed that a large number of DGA domains are hosted in Romania. It’s no surprise that the malicious actors behind the exploit kit chose to host some of their infrastructure in South-Eastern Europe, since this is often the case with cyber criminals.
This specific Angler campaign that was analyzed also showed that top level .top domains were used in the attacks. Here are some examples:
c2xcn.rf1uq3 [.] top
crzgl.k0dmymw [.] top
ddmgb.rf1uq3 [.] top
e52y8aw.pds5l6a179b [.] top
ktvvkp.pinlbx7 [.] top
l5efi.n1c0z4ft [.] top
l6si4.pkvcmh [.] top
Even though efforts to disrupt Angler’s infrastructure have been made towards the end of 2015, attackers are not planning to give up on their business, because there’s too much money involved:
Security researchers have taken on organised criminal gangs who have been using the notorious Angler Exploit Kit in malware campaigns stealing up to $3 million each month through ransomware attacks.
Angler targets companies in Northern Europe, exploits Flash and Silverlight
By leveraging their infrastructure, the cyber criminals behind Angler go for the most lucrative targets, which are often located in Northern or Western Europe, or in the US.
This also happened in the case of several Danish companies in the past few days. Attackers added a big chunk of new malicious domains to their attack, including this small section below:
ig4g88.rx9zm [.] top
m4833m.rx9zm [.] top
s79yvn.rx9zm [.] top
ljqre7.shk6ci [.] top
aca.yh3ec79e2 [.] top
nhw.yh3ec79e2 [.] top
oih.yh3ec79e2 [.] top
In this recent campaign, Angler was distributed via malicious web injects in legitimate websites. This is how a drive-by download is created, which is Angler’s favorite way of scattering around.
The most insidious and dangerous thing about drive-by downloads is that they don’t require any user interaction for the infection to take place. So if an employee in a targeted company visits a website infected with the exploit kit, Angler will first go after vulnerabilities in Adobe Flash Player and Silverlight. And neither of these applications lack in security holes.
If Flash or Silverlight are left out of date, Angler will start feeding the infected PC with ransomware. This time it was Mobef, a new strain of ransomware which is still being analyzed by experts. Full data encryption follows, but not if the Windows-based PC comes from Russia or Kazakstan. Mobef will check if the keyboard layout is Russian, and, if so, it won’t proceed to encrypt the data on the affected PC.
Fortunately, Mobef detection rates are quite good: 31/55 on VirusTotal.
Exploit kit as-a-service leverage more ransomware and click-fraud to increase profits
There’s no doubt that Angler is the most widely used commercial exploit kit-as-a-service today. In fact, the numbers show that Angler accounted for over 80% of the active drive-by attacks observed in the past month! The main objectives for the notorious exploit kit are to infect as many computers as possible with infostealers and ransomware, to make money and increase their resources further.
An even newer Angler campaign uses the malicious web-injects mentioned previously to infects Windows-based PCs with a combination of click-fraud malware (Bedep) and a CryptXXX, a brand new ransomware strain.
The components of the attacks have low or very low antivirus detection:
Angler EK Flash exploit detection rate: 1/56 on VirusTotal:
Bedep antivirus detection rate: 11/56 on VirusTotal.
CryptXXX ransomware detection rate: 5/56 on VirusTotal.
This attack also uses domain shadowing and aims to exploit vulnerabilities mainly in Adobe Flash Player, which had 79 vulnerabilities so far this year alone.
Bedep is then dropped on the infected server. What Bedep does is open a backdoor on the compromised server and redirect the traffic to Angler-laden pages by manipulating the contents of the users’ browsers. Pornographic content is mainly used for this attack, coupled with click-fraud, which promises to reward the user financially if he/she clicks on banners on dubious websites. Click-fraud itself can also lead to additional malware being downloaded onto the already infected computer.
Some of these strange websites include the following examples:
mymomwantsflowers [.] com
lolworldclassid [.] com
restore vision-cool [.] mobi
rerobloketbo [.] com
tonthishessici [.] com
To prove once again that Angler is used in sophisticated attacks, you should know that, in the next stage, CryptXXX ransomware is fed to the infected PC. Data encryption ensues, and the following files are also dropped on the computer:
These files include the necessary information for the victim to pay the ransom and get the decryption key.
Fortunately, cyber security experts have also moved fast and Kaspersky promptly released a decryption tool for CryptXXX, just a few days after the ransomware emerged.
In addition to encrypting the files on the PC, CryptXXX also exfiltrates data such as FTP and SSH usernames and passwords.
Unfortunately, as previously mentioned, antivirus detection for the exploit, Bedep and CryptXXX is quite low. Used together, they make the attack powerful and severely damaging.
Once again, Angler shows off its capability to deliver variety of payloads, from ransomware (such as CryptXXX or CryptoWall 4.0) to backdoor Trojans and infostealers. Since this exploit kit is an unnerving threat to users and companies everywhere, the first step in protecting against it is to understand how it works and what it can do.
* This article features cyber intelligence provided by CSIS Security Group researchers.