The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
December 23, 2015
The Many Paths to Angler
Over the past few months, we have seen Angler Exploit Kit activity increase across our observed telemetry. In some instances, Angler EK relies on redirects (also known as “gates”) to funnel victim traffic to its landing pages. In others, Angler EK does not use redirect techniques but instead sends victims directly from a compromised site to the landing page.
Redirects are URLs or specifically crafted websites that forward victims to the Angler EK landing page. They could provide Angler EK operators the functionality to:
Obscure the source compromised site
Prevent more than one redirect from a single IP
Target specific regions
Make automated analysis and tracking more difficult
There are four redirect methods in active use today. Most of these methods have been discussed in varying detail elsewhere. In this post, we will consolidate the knowledge and share additional details of each method used. And because Angler continues to send victims directly from a compromised site to landing pages, we will also explore that infection path and provide recent landing page IPs.
Angler Exploit Kit Activity
Angler EK activity decreased in October (hat-tip to Cisco) but rebounded in November based on our telemetry. Figure 1: Observed Angler landing page detections by month
Figure 2: EITest redirect method compromised site code example
Called “EITest” by Malwarebytes due to the static id value in the html, this redirect method uses an Adobe flash file to filter victims based on certain criteria. If met, the victim is redirected to the Angler EK landing page.
The obfuscation function format embedded within the flash file recently analyzed (354206353ee3d4e7b279bc66a0727bcf) is different than the one from 2014. However, the criteria for Angler EK redirection (browser version) remains the same.
Below is the obfuscated ActionScript as well as the decoded iframe output.
Figure 3: Obfuscated ActionScript embedded in flash file
Figure 7: Shadowed Redirect method compromised site code example
As discussed here, this method relies on the initial iframe on the compromised site to send the victim to the redirect intermediary server. This server will respond with either an HTTP 200 and no content, HTTP 200 and an iframe redirecting to the Angler EK landing page, or HTTP 404 “Not Found” depending on a variety of circumstances.
Figure 8: Response if criteria not met for landing page redirect
If the client request meets the redirect criteria, they will be redirected to the Angler EK landing page.
Figure 10: Dynamic DNS redirect method compromised site code example
This method relies on an iframe on the compromised host pointing to a dynamic DNS resource. This resource will then send the victim to the Angler EK landing page or respond with a 404 Not Found. Here are a few of the recent domains we’ve seen using this redirect method:
Figure 11: Dynamic DNS domain example
301/302 Location Redirect
Status: Active as of December 2015
Current IP(s): 185.104.8[.]50
URL Format: Various. This method uses HTTP 301 or 302 and the Location HTTP header to send the victim to the Angler EK landing page. Below is an example of the request and the 302 found with the Angler EK URL in the Location header.
Figure 12: GET request and HTTP server response with Angler Exploit Kit landing page
With this example, victims are redirected to Angler EK landing pages directly from compromised sites. In some cases, the iframe exists on the main page of the compromised site. In others, the main page refers to other site resources that eventually lead to Angler EK as shown below.
Figure 13: The main page of a compromised site pointing to the local “stats” resource
Figure 14: The “stats” resource with iframe to the local “/1/” subdirectory
Figure 15: /1/ directing victims to the Angler Exploit Kit landing page
The recent list of IPs hosting Angler EK landing pages for November and December is available for download to aid analysts in detecting related activity.
Angler Exploit Kit remains one of the most active exploit kits in use. Security analysts can improve their detection success rate by using combined network, analytic, and endpoint response platforms to stay ahead of this fast moving threat.
Fidelis Cybersecurity’s products detect the activity documented in this paper. Additional technical indicators are published to the Fidelis Cybersecurity github.
-The Fidelis Threat Research Team
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.