Angler Exploit Kit is 50% down, a large ransomware campaign dismantled

Threatpost had a story last week describing a disruption of a large ransomware campaign connected to the Angler exploit kit. Experts from Cisco’s Talos security group “effectively nillified 50 percent of the exploit kit’s activity”.

Threatpost had a story last week describing a disruption of a large ransomware campaign connected to the Angler exploit kit. Experts from Cisco’s Talos security group “effectively nillified 50 percent of the exploit kit’s activity”.

Angler

Angler is a notorious exploit kit, considered to be one of the most sophisticated kits on the underground market.

It has some peculiar capabilities such as detecting virtual machines like VMware, VirtualBox, Parallels, etc. VMs are often used as honeypots and test beds by security researchers, and Angler’s authors have gone to great lengths to prevent their creation from being investigated. Angler detects a web debugging proxy called Fiddler, also popular among researchers. Once detected, the kit bolts immediately, so it is a really tough nut to crack for researchers.

Angler is one of the fastest kits to incorporate newly released zero-days. Its operators are probably searching for them extensively. Angler’s malware runs from memory, without having to write to the hard drives of its victims.

The kit is also closely associated with ransomware – CryptoWall 3.0 or TeslaCrypt 2.0 variants, namely.

Tango down, or…?

Now its wings have – more or less – been clipped. Its weak point appeared to be a hosting service where many of its proxy servers were located – Limestone Networks, based in Dallas, US.

Limestone provided researchers with disk images of the servers that were being used to carry out the malicious activity. It appeared that one server was connecting to 147 other proxy servers that obfuscated malicious traffic over the course of 30 days.

Over a month of monitoring, researchers saw each of those 147 servers compromising 3,600 users – 529,000 in total. Even if roughly 3% of users paid the ransom, Threatpost says, the attacker’s loot was up to $3 million a month.

The common targets were users of old, unpatched versions of Adobe Flash and Internet Explorer, especially those who frequented adult websites and – a nefarious detail – obituary websites. Researchers said they believe the attacker(s) used obituary websites as a means to target the elderly, as conventional wisdom maintains they might prove more likely to use unpatched versions of IE and be susceptible to ransomware.

You are welcome to choose a descriptive word of your liking for those attackers in the comments. My own is too unparliamentary for text like this.

Our colleagues from Talos did a grand job with Angler. Hopefully this kit will be dismantled completely one day, like Blackhole before it.

A solution for a problem

Exploit kits are a long-standing problem for end-users and businesses alike: the kits check the attacked system against a multitude of vulnerabilities – including the zero-days – and if any are discovered, infection promptly ensues.

Beating exploits requires behavior analysis. Malware programs may be plentiful and varied, but most of them have similar behavioral patterns.

Kaspersky Lab’s Automatic Exploit Prevention uses the information about the most typical behavior of the known exploits which helps to prevent infection even in the case of a previously unknown zero-day vulnerability exploit.

Exploits are quite often preload files prior to directly contaminating the system. Automatic Exploit Prevention monitors programs appealing to the network and analyzes the source files. If anything suspicious is going on, the appropriate traffic gets blocked.

Check this page to find out more about Automatic Exploit Prevention technology.

Tips