The Many Paths to Angler

Over the past few months, we have seen Angler Exploit Kit activity increase across our observed telemetry. In some instances, Angler EK relies on redirects (also known as “gates”) to funnel victim traffic to its landing pages. In others, Angler EK does not use redirect techniques but instead sends victims directly from a compromised site to the landing page.

Redirects are URLs or specifically crafted websites that forward victims to the Angler EK landing page. They could provide Angler EK operators the functionality to:

• Obscure the source compromised site
• Prevent more than one redirect from a single IP
• Target specific regions
• Make automated analysis and tracking more difficult

There are four redirect methods in active use today. Most of these methods have been discussed in varying detail elsewhere. In this post, we will consolidate the knowledge and share additional details of each method used. And because Angler continues to send victims directly from a compromised site to landing pages, we will also explore that infection path and provide recent landing page IPs.

Angler Exploit Kit Activity

Angler EK activity decreased in October (hat-tip to Cisco) but rebounded in November based on our telemetry. Figure 1: Observed Angler landing page detections by month

EITest Redirect

Status: Active as of December 2015

URL Format: /page.php? id=4646BCDD83AB2C1F3AAE14BA34C1622E0EB31BE3B5E1632E19710D

Example of code on compromised site:

Figure 2: EITest redirect method compromised site code example

Called “EITest” by Malwarebytes due to the static id value in the html, this redirect method uses an Adobe flash file to filter victims based on certain criteria. If met, the victim is redirected to the Angler EK landing page.

The obfuscation function format embedded within the flash file recently analyzed (354206353ee3d4e7b279bc66a0727bcf) is different than the one from 2014. However, the criteria for Angler EK redirection (browser version) remains the same.

Below is the obfuscated ActionScript as well as the decoded iframe output.

Figure 3: Obfuscated ActionScript embedded in flash file

Figure 4: Deobfuscated ActionScript embedded iframe

As shown, if the criteria within the flash file is met, the victim will be redirected to the Angler EK landing page.

Figure 5: Redirect to Angler Exploit Kit

This method relies heavily on the use of non-standard TLDs:

Figure 6: Observed TLDs associated with this method in use since October 2015

Shadowed Redirect

Status: Active as of December 2015

URL Format: attendance.workforthis[.]com/law/lang.js

Example code on compromised site:

Figure 7: Shadowed Redirect method compromised site code example

As discussed here, this method relies on the initial iframe on the compromised site to send the victim to the redirect intermediary server. This server will respond with either an HTTP 200 and no content, HTTP 200 and an iframe redirecting to the Angler EK landing page, or HTTP 404 “Not Found” depending on a variety of circumstances.

Figure 8: Response if criteria not met for landing page redirect

If the client request meets the redirect criteria, they will be redirected to the Angler EK landing page.

Figure 9: Angler Exploit Kit landing page redirect

Dynamic DNS Redirect

Status: Active as of December 2015

Current IP(s): 46.161.2[.]73

URL Format: /wordpress/?bf7N&utm_source=le

Example code on compromised site:

 Figure 10: Dynamic DNS redirect method compromised site code example

This method relies on an iframe on the compromised host pointing to a dynamic DNS resource. This resource will then send the victim to the Angler EK landing page or respond with a 404 Not Found. Here are a few of the recent domains we’ve seen using this redirect method:

Figure 11: Dynamic DNS domain example

301/302 Location Redirect

Status: Active as of December 2015

Current IP(s): 185.104.8[.]50

URL Format: Various. This method uses HTTP 301 or 302 and the Location HTTP header to send the victim to the Angler EK landing page. Below is an example of the request and the 302 found with the Angler EK URL in the Location header.

 Figure 12: GET request and HTTP server response with Angler Exploit Kit landing page

Angler Exploit Kit Landing Page

Status: Active as of December 2015

Current IP(s): Various; see IOCs below

URL Format:

/civis/search.php?keywords=90qs9&fid0=6m.tm0x360w12 /civis/index.php?PHPSESSID=7o&action=0x7.012g1815k447rr05″

/civis/viewforum.php?f=46&sid=4u33g1448pw22s.4

/civis/search.php?keywords=36ez&fid0=0meicaot4b4jolntuyg8apov2p0wmvi95c5jasm2nob3z6bfh1s-zstibz1176ecs1tg3c5hey7va464mwmt05_sgl2txuo5 /forums/viewtopic.php?t=833l4&f=st41.285w9309da15577

/civis/viewforum.php?f=4tw&sid=cq0wn8h_nlvy-scudmqxytcnw9q88njk3e4nhw6xbvxloqxewoe5bu7e9fx2qf5ovv4poi7ud7covoeml0-sn_3n3bdtz4ym7

With this example, victims are redirected to Angler EK landing pages directly from compromised sites. In some cases, the iframe exists on the main page of the compromised site. In others, the main page refers to other site resources that eventually lead to Angler EK as shown below.

Figure 13: The main page of a compromised site pointing to the local “stats” resource

Figure 14: The “stats” resource with iframe to the local “/1/” subdirectory

Figure 15: /1/ directing victims to the Angler Exploit Kit landing page

The recent list of IPs hosting Angler EK landing pages for November and December is available for download to aid analysts in detecting related activity.

Angler Exploit Kit remains one of the most active exploit kits in use. Security analysts can improve their detection success rate by using combined network, analytic, and endpoint response platforms to stay ahead of this fast moving threat.

Fidelis Cybersecurity’s products detect the activity documented in this paper. Additional technical indicators are published to the Fidelis Cybersecurity github.

-The Fidelis Threat Research Team