Angler Exploit Kit – A Threat To Browsing the Web

July 27, 2015 By aatech

Ever wondered how a ransomware cybercriminal makes money if he has to attack thousands of computers on thousands of different network in hundreds of different countries?

News today is about “these data breaches”, “that sneaky malware” or “the latest new exploits”. Many attacks involve some or all of these components.

For a successful heist to take place, let’s say a bank robbery, careful planning goes into it. Time is spent on the right way to get into the bank without being caught. The crooks will need to map the way in and the escape route, and then launchtheir ‘attack’. This whole process may take weeks or months.

Robbery in the cyber world requires similar sort of planning, but it covers a much wider area – multiple regions, if you may.

Coming back to the question at the beginning of this advisory, how does a cybercriminal cope with planning a crime of this magnitude? How does he put into play his whole exploit-breach-infect-cashout sequence on thousands of victims, one-by-one?

The answer is, Exploit Kits(seeDefinition). This is where crooks offer cybercriminals what amounts to Crime-as-a-Service.

In simple terms, Exploit Kits are malware tools that are installed on a server and used to automate the process of forcing malware onto innocent victims. Nevertheless, exploit kits are more than just web-based tools for hacking computers automatically. It’s a whole malware distribution network – an exploit kit is to a ransomware extortionist what iTunes is to a musician, except that an exploit kit is illegal, and very often invincible.

There is a mix of activities involved with exploit kits – deciding on the best exploits, packaging them, attracting traffic, measuring what’s working, marketing the “service’, and seeing the money role in. It’s easy money, but it is not a money making scheme that I would recommend.

The leader of the pack in the exploit kit market is Angler. As the name suggest, it goes fishing for victims for cybercriminals.

Let’s look at Angler activity from a network point of view.

Angler makes use of fresh domain registrations. Like most exploits, it abuses free domain registration services, typical in drive-by download attacks, reported in previous Extol Advisory. This is a widely used tactic by exploit kits.

Domain shadowing. In this process, the Angler exploit uses hijack users’ domains to create sub-domains. This is an effective attack vector as most users’ don’t monitor their domain registration regularly. These accounts are typically compromised through phishing.

In a nutshell, domain shadowing is the process of gathering domain account credentials to silently create sub-domains pointed to malicious servers without any the knowledge of the actual owner.

An example of domain shadowing

URL (Uniform Resource Locator), a unique address for a file that is accessible on the internet. For example, the common way to get to a website is to enter the URL of its homepage file in your web browser’s address line. The components in the URL structure itself are useful identifying malicious activity in web traffic. Angler, however, has taken steps to remove any identifying factors that might be easy to spot.

For further information and analysis of Angler exploit kit, read this interesting report from SophosLabs.

Recommendation

1. Remove software that exploit kit targets, such as Flash, Internet Explorer and Silverlight.

2. Patch software as soon as they are available. Allow software to automatically check and install updates. This would prevent being hit by malware for which patches are available.

3. Install security software. Such software should have technologies to filter inbound web content and should provide runtime protection. Anti-exploits tools do provide protection, but this can vary according to the vulnerability being exploited.

Definition

1. Exploit Kit – toolkits to exploit security holes primarily to spread malware. Exploits codes are packaged in these toolkits, and they target software such as Adobe Flash, Java, Microsoft Silverlight and Internet Explorer.

1. Zombies – a computer connected to the Internet and that has been compromised by a hacker, malware and can be used to perform malicious task remotely.

Source

1. Naked Security (Sophos), including images.

2. Cisco Blogs.

The Week That Was

1. Italian surveillance company, Hacking Team, and Boeing built cyber weaponised Drones. The recent leaked internal emails revealed that the company developed a robotic aircraft designed to attack computers and smartphone devices through Wi-Fi networks. The drones were designed to carry out attacks that inject spyware into target computers or mobile devices via Wi-Fi.

2. Android Malware App that passed past Google Play’s security check. The app was designed by none other than the Hacking Team. The Be News app seemed like a harmless news app designed to provide the latest news on bees and beekeeping. However, the real intent of the app was to install spyware onto unsuspecting users’ Android devices. This was revealed as the result of the leaked documents, source code and archives when Hacking Team was hacked.

3. Google, Yahoo and Facebook collaborate to blacklist bad bots. The three tech giants have joined hands to launch a new program meant to block fake web traffic by blacklisting flagged IP addresses. The new pilot program will reject traffic from web robots or bots by making use of a blacklist, cutting a significant of web traffic from within data centers.

4. Google Chrome updates 43 security patches. The latest version, 44.0.2403.89 was released for Windows, Mac, and Linux to address multiple vulnerabilities. These vulnerabilities would allow attackers to take control of an affected system.