Newly adopted methods are more efficient at security evasion

Apr 6, 2015 15:53 GMT  ·  By

Browser-based attack tool Angler Exploit Kit (EK) has recorded an evolution with regards to the infection vectors it relies on, and in recent incidents, its operators used two methods called “cushion attacks” and “domain shadowing,” which are distinct from traditional ones.

Despite the new approaches, Angler EK continues to employ malvertising to redirect visitors with outdated browser plug-in versions (Adobe Flash Player in particular) to landing pages hosting it.

Non-traditional techniques used to redirect potential victims

Cushion attacks, or 302 Cushioning, does not require the use of hidden iframes or external “script src” tags for the redirection. These are most of the times seen in malvertising campaigns, where the malicious code is inserted, in an obfuscated form, into an advertisement.

Security researchers from Zscaler’s Threat Lab say that the attackers behind Angler perform an HTTP 302 redirect over the iframes, a tactic that bypasses detection of signature-based IDS/IPS (intrusion detection/prevention) systems.

The second technique, domain shadowing, consists in stealing the log-in credentials for the domain registration account and creating subdomains that redirect to the malicious code.

With access to domain registration accounts, which can be used for managing tens of domains, the cybercriminals can constantly change the malicious links and evade URL blacklists.

“These developments are notable since they show an evolving approach to exploit delivery. Angler has long used obfuscation and encryption on landing pages, and payloads Combined with cushioning and domain shadowing, Angler adds yet another layer of stealth for defenders to counter,” Zscaler says in a blog post.

The end goal is to deliver a banking Trojan

According to their analysis, Angler exploited CVE-2015-0336, a vulnerability in Flash patched by Adobe in mid-March.

The payload was an SWF file with a detection rate on Virus Total of only 1 in 56 antivirus solutions. The scan was performed on Friday and results may have improved since then.

Researchers determined that the malware dropped on the victims’ computers was a banking Trojan belonging to the Carberp family. In this case, the malware has a much higher detection rate (31/57).

An increase in using the cushion attacks and domain shadowing is expected by the researchers, since this combination proves to offer the attackers a way to slip through the security policies enforced by enterprises for scanning traffic for all URLs. A common approach today is to focus security only on URLs that present a higher risk.