When the Blackhole exploit kit went away after the arrest of its alleged creator and maintainer Paunch, there were questions about which kit would rise up as its successor.
It seems that the Angler exploit kit has ascended to the throne.
The most definitive evidence seems to be the constant updating of the kit with a bevy of zero-day exploits for Adobe Flash Player. Researchers at Cisco’s Talos group today published a report on the most recent Angler Flash zero day (CVE-2015-0311) discovered in the kit by French researcher Kafeine.
Cisco’s Nick Biasini said 1,800 domains have been compromised by this exploit, and have been used by five IP addresses: 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52.
“These domains are associated with the landing page and exploits,” Biasini said. “None of the actual root domains appear to be compromised and are legitimately registered to owners.”
The latest Angler/Flash campaign hit its peak Jan. 28 and 29 with almost 1,400 infections over that 48-hour period before tapering off two days later.
“There are enough of these domains that some of them are only seen once before being abandoned. The majority of the compromised domains are registered through GoDaddy and it appears that 50+ accounts have been compromised,” he said. “Many of these accounts control multiple domains with some controlling 45+ unique domains.”
Cisco published a small sample of sub-domains involved in these attacks that were registered to one domain, all of them resolving to one IP address, Biasini said. Another set of subdomains, he said, act as the initial redirection page. The attackers are using malicious online advertisements to serve the exploits, with those pointing to compromised subdomains. Those sites redirect to another subdomain that serves up a landing page and either Flash or Microsoft Silverlight exploits, also included in the Angler kit.
Most of the hashes have low detection rates, Cisco said.
The latest Angler/Flash campaign hit its peak Jan. 28 and 29 with almost 1,400 infections over that 48-hour period. via @ThreatpostTweet
“This is another example of how Angler Exploit Kit continues to differentiate itself. It changes and evolves on a constant basis producing new variation on the existing exploits as well as providing enough customization on the recent vulnerability (CVE-2015-0311) to effectively avoid reliable detection,” Biasini said. “If the first month of 2015 is any indication, the Angler Exploit Kit could have a big year.”
Kafeine spotted the Flash zero day exploit code in Angler on Jan. 20, and it was installing click-fraud malware known as Bedep, also installed by older versions of Angler. Further analysis by researchers at Websense revealed that the zero-day exploit could inject malicious payloads into users’ browsers. The exploit code was hidden among several layers of obfuscation in order to keep it from being detected.
Adobe released a patch for customers who had enabled auto-update for Flash on the desktop on Jan. 24 before releasing an out-of-band patch two days later. On Monday, another unrelated Flash zero day, the third in two weeks was patched in another emergency update.