SECURITY EVANGELIST

Our team has recently monitored and analysed a new stack of drive-by campaigns which aim to spread the Angler exploit kit by injecting malicious code into compromised web pages.

Because of the mechanisms involved and the attackers’ objectives, the campaign is prone to achieve large distribution and affect a big number of PCs and their users.



Stages of infection




The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.

The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.

In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.

The Angler exploit kit will then scan for vulnerabilities in popular third party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.

Here is a small selection of the websites that deliver the Angler exploit kit (sanitized by Heimdal Security):

poinformowano [.] websitesfortrainers [.] com
etailate-rebells [.] websitesfortrainers [.] com
gmackenziekorntunna [.] websitesfortrainers [.] com
nopeutunutta-Zeitschriftenverlag [.] websitesfortrainers [.] com
entelrgy [.] net
websites4all [.] net
ISV [.] isigmasystems [.] net
isigmasystems [.] net
swindlerskateboard [.] net
john grant [.] codes
tapdanceshoes [.] us
thesnoringowl [.] com
fiveleafvinyard [.] com
applegateweedworkers [.] com
getoor-riccibit [.] applegateweedworkers [.] com
assassinaviravate [.] applegateweedworkers [.] com
earthwar-mail data [.] applegateweedworkers [.] com
zeitsparendem-accidere [.] applegateweedworkers [.] com
embezzlementeconomicpolicy [.] applegateweedworkers [.] com
minnetonkauniversity [.] com
rhythmtapshoes [.] net
kontrollogikidiotyzm [.] rhythmtapshoes [.] net
destituaveram [.] Dothy [.] com

The campaign is extensive and it originates from a bulletproof hosting environment located in Ukraine. More than 100 web pages in Denmark have been injected with the malicious script, but the campaign is not limited to Europe.

In the last 24 hours, we have blocked more than 200 new domains which were used by attackers to spread CryptoWall 4.0 via Angler in this drive-by campaign.

Here is a diagram that illustrates the scale of this campaign, which is centered around six servers from the same provider in Ukraine.

drive by campaign cryptowall 4.0 angler cluster

That CryptoWall payload communicates with the following Bitcoin gateways (sanitized by Heimdal Security):

3wzn5p2yiumh7akj.partnersinvestpayto [.] Com / Npc5ea
3wzn5p2yiumh7akj.marketcryptopartners [.] Com / Npc5ea
3wzn5p2yiumh7akj.forkinvestpay [.] Com / Npc5ea
3wzn5p2yiumh7akj.effectwaytopay [.] Com / Npc5ea

Let’s not forget that Angler continues to be the most widely used exploit kit, because of its capability to integrate Zero Day vulnerabilities and various exploits, but also because it can maintain a very low detection rate when it comes to traditional antivirus products.

angler exploit kit statistics 2015 q3.jpg

Antivirus detection is extremely low for this campaign, so we highly recommend that you follow a few simple steps to keep your system safe:

  • keep your system updated and always install the latest updates available for the apps you use
  • back up your data constantly and frequently
  • don’t keep any important piece of information on your computer
  • make sure you keep away from strange websites
  • do not open spam emails or emails you get from unknown senders
  • don’t download or open attachments in those emails
  • use products that can detect and block recent ransomware / Cryptoware variants which, as you’ve seen, can end up on your system without you downloading anything on purpose.


Conclusion



Attackers move fast, they are resourceful, they understand market trends and are able to capitalize on Zero Days and other vulnerabilities that plague victims’ PCs, no matter where they are in the world.

Not even a month has passed since we announced the advent of CryptoWall 4.0 and its improved communication and capabilities and it’s already being used in campaigns. Cyber criminals have a way of rapidly adopting new strains of malware that prove to be more effective and more productive in terms of return on investment.

Cyber security basics are still a great way to keep safe from ransomware and campaigns such as this one, but Internet users also need to find the security products that are capable of identifying these threats and blocking them before they reach the system. It’s an ongoing battle, but there’s no way to avoid it unless you want to stop using the Internet altogether.

drive-by-download-attacks
2016.11.08 INTERMEDIATE READ

How Drive-by Download Attacks Work – From Disbelief to Protection

Ultimate Guide to Angler Exploit Kit
2016.05.18 SLOW READ

The Ultimate Guide to Angler Exploit Kit for Non-Technical People [Updated]

Exploit Kits as a Service
2016.01.18 SLOW READ

Exploit Kits as a Service – How Automation Is Changing the Face of Cyber Crime

Comments

Jeg er meget tilfreds med HEIMDAL PRO. Men jeg har vanskeligt ved at få ikonet ind Skærmen, så jeg kan bruge HEIMDAL PRO. Så jeg har re installeret, ikke uden bøvl. Måtte til sidst begynde forfra, købe nyt abonnement, for to år. Selv om mit abonnement, ikke var udløbet. Men pyt, bare jeg har HEIMDAL PRO. Det er det absolut mest afgørende. Men nu bagefter, tilbyder HEIMDAL 20 % rabat ved køb. Er det ikke den omvendte verden. Venlig hilsen Steen Nielsen

Hi Steen! Sorry to hear about your issues. Please know you can always contact us at support@heimdalsecurity.com for any kind of help and information. We’re always here to help you make the most of your Heimdal product!

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP