14 DAY TRIAL // The Angler Exploit Kit (EK) has been one of the most dangerous user exploitation toolboxes for years, and the group behind it is poised to keep it as such in the coming years.
An exploit kit is a Web-based application that scans the computers of a site's visitors, and if it detects any weaknesses, it delivers malicious code that exploits these vulnerabilities, installing malware on a user's PC.
Angler was 2015's most used exploit kit, accounting for 30% of all EKs on the market. Despite its high profile, security firms have failed to track down its creators, and in the first month of 2016, Angler, RIG, and the Neutrino exploit kits contributed to a 75% rise in EK usage compared to the same period of last year.
Angler development continues as strong as ever
As the Cisco Talos team is explaining, the reason behind this EK's success is the constant updates it receives from its development team, always keeping it one step in front of security measures implemented by cyber-security vendors.
Some of the most recent tactics employed by Angler include domain shadowing, 302 cushioning, encrypted payloads, landing page updates, or a quick turnaround on adding new exploits to the kit's database.
We saw the latter only last week when a recently discovered Silverlight exploit was added to the Angler database, even if very few people continue to use Silverlight in the first place.
Recent Angler EK variants have extra landing page URLs, new TLD domains
Talos reports that the most prominent change to Angler observed in the past weeks is a change in its landing page syntax. The landing page is where users are served the actual exploit kit.
In the past, users could tell this page by a few clues in their URLs, such as the presence of string like inxed.php, viewtopic.php, viewforum.php, and search.php, all followed by a huge collection of variables and parameters. The new versions of Angler now also use the view.php and viewthread.php PHP files.
While they might not be enough for regular users to spot them in time to avoid contamination, these tiny changes have thrown many security products off Angler's trail, allowing it to go unnoticed in many attacks.
But these are not the only changes, and new Angler versions included a shift to using custom top level domains. In the past month, many Angler campaigns leveraged custom TLDs such as .top, .space, .site, .accountant, and .pw, shifting from previous campaigns where the malicious content was mostly hosted on .tk domains.
"This is yet another example of why Angler is the most sophisticated and prolific exploit kit active today," the Cisco Talos team explains. "They continue to be an effective conduit to compromising users and dropping ransomware, generating direct revenue for adversaries. We also noticed a marked increase in malvertising directing to exploit kits. This is a problem that is going to get worse before it gets better."