The statistics shows that 80% of all the active drive-by attacks observed in the past month can be attributed to the Angler exploit kit and its as-a-service rental model.
“Angler relies on a huge and resilient infrastructure to distribute all sorts of malware, and the exploit kit operations have been quite intense for the past months,” said the security specialist at Heimdal Security, Andra Zaharia.
In addition, Zaharia added that since the Angler exploit kit surfaced in 2013, it’s evolved into a massive threat for users and companies alike. “But this new upsurge in Angler activity shows that the exploit kit could be getting even stronger.”
The security specialist also said that Angler’s success in the cyber-criminal community is heavily reinforced by the aggressive tactics that the exploit kit employs. Among these tactics is using a domain generation algorithm to engineer high-volume compromises without being detected by traditional antivirus.
Domain generation algorithm (DGA) is a method for generating a large number of domains by creating slightly different variations of a certain domain name. The generated domains are used to hide traffic transmitted between the infected machines/networks and the command and control servers.
Some Danish companies have felt the brunt of this over the past days as hackers added a big chunk of new malicious domains to their attack. In a recent campaign, Angler was distributed via malicious web injects in legitimate websites, bent on drive-by infections.
“The most insidious and dangerous thing about drive-by downloads is that they don’t require any user interaction for the infection to take place,” explained Zaharia. “So if an employee in a targeted company visits a website infected with the exploit kit, Angler will first go after vulnerabilities in Adobe Flash Player and Silverlight. And neither of these applications lack in security holes.”
In case Silverlight or Flash are not up to date, Angler will start feeding the infected PC with ransomware. In this case it was Mobef – a new strain of ransomware which is still being analyzed by specialists. A similar campaign uses the malicious web-injects to infect Windows-based PCs with a combination of click-fraud malware (Bedep) and a CryptXXX – a brand new ransomware family.
According to Heimdal, during the past week, the observed Angler campaigns revealed that a large number of DGA domains are hosted in Romania, even though the cyber-criminals behind Angler go for the most lucrative targets, which are often located in Northern or Western Europe, or in USA.
“Even though efforts to disrupt Angler’s infrastructure have been made towards the end of 2015, attackers are not planning to give up on their business, because there’s too much money involved,” Zaharia stated.
According to Tripwire, organized criminal gangs who have been using Angler are stealing up to $3 million each month through ransomware attacks. Besides, the barrier to entry is low: exploit kits-as-a-service don’t require much technical expertise to be used, they are cheaper, they’re flexible and can be packed with different types of malware. Also, they offer broader reach, usually difficult to detect, and used for exploiting various vulnerabilities.
“This business model makes it very profitable for exploit kit makers to sell their malicious code and increase their revenues,” Andra Zaharia concluded.