Researchers report Angler Exploit Kit attacks have become more brazen and are now targeting top websites with new tricks that can evade browser-based antimalware protection.
Karl Sigler, a SpiderLabs researcher at Trustwave, told Threatpost his lab found the Angler Exploit Kit on a popular website for the second time in a week, exposing just under million visitors monthly to possible TeslaCrypt ransomware infections. Sigler said Trustwave researchers spotted the exploit on Extendoffice[.]com, a site that sells software for customizing Microsoft Office software applications.
A number of things stuck out as unique about this iteration of Angler Exploit Kit, according to Trustwave. One was the fact that attackers were targeting a destination site as opposed to a random webpage that had traffic driven to it via phishing attacks, Sigler said. According to site analysis tool Compete.com, Extendoffice attracted 963,000 unique visitors in January.
“That many not seem like a lot of traffic for a website, but for a watering-hole attack, they hit the jackpot,” Sigler said.
The site Extendoffice appears to be owned by China-based Addin Technology and did not reply to Threatpost’s requests for comment. Sigler said, Trustwave also notified the site’s owner and its hosting company, alerting both to the vulnerability last week. He said the site was still attempting to distribute the Angler Exploit Kit as of Thursday. He said Trustwave received an email Friday from the site’s domain hosting firm claiming the vulnerability has been patched. Trustwave said it hasn’t verified that claim yet.
An outdated version of the content management system Joomla (version 3.4.3) was likely to blame for the vulnerability. Sigler said that in December Joomla released version 3.4.6 of its software that plugged a known object injection remote command execution vulnerability in the version 3.4.3.
Threatpost reported last week the SANS Institute’s Internet Storm Center has noticed that exploit kits are now targeting Joomla sites.
“It’s an unfortunate case where a fairly popular website was redirecting its visitors to the Angler Exploit Kit,” Sigler said. If successful, attackers dropped the TeslaCrypt ransomware on the victim machine, he said.
Sigler explains that because Angler exclusively targets Microsoft’s Internet Explorer web browsers, the attackers didn’t want to risk being discovered or lose any “valuable” traffic to Firefox or Google’s Chrome browser traffic.
This method of obfuscation is so effective, Sigler said, that it is able to sneak past most of the 67 private scanning engines behind Google’s VirusTotal, a free service that analyzes URLs red flags malicious content detected by antivirus engines and website scanners.
February has been a busy month for the Angler Exploit Kit. Along with targeting small sites such as Extendoffice this month, the exploit also targeted Skype users via malicious ads and is now targeting vulnerabilities in Microsoft’s Silverlight.