Researchers Disrupt Angler Exploit Kit Ecosystem, Derail $30M Ransomware Campaign

Researchers took a big step towards eradicating the Angler exploit kit, disrupting a large ransomware campaign connected to the kit that purportedly netted a hacker behind it more than $60 million annually.

Researchers took a big step towards eradicating the Angler exploit kit, disrupting a large ransomware campaign connected to it that purportedly netted a hacker more than $30 million annually.

According to a report published today, experts with Cisco’s Talos Security Intelligence and Research Group did a deep dive on the exploit kit over the summer and effectively nullified 50 percent of the exploit kit’s activity.

Angler has proved to be one of, if not the most sophisticated exploit kits on the market. Over the past year it’s been spotted pushing malware such as TeslaCrypt, AlphaCrypt, several iterations of CryptoWall, incorporating the latest Adobe and Internet Explorer exploits, and even using new ways to avoid detection and blocking.

In examining an Angler dataset from July 2015, Talos researchers were able to deduce that many of the proxy servers being used by Angler were located on servers that belonged to Limestone Networks, a hosting service based in Dallas.

While the two worked together to take those servers offline, Limestone was also able to provide Talos with disk images of the servers that were being used to carry out the malicious activity. Through this, the researchers were able to get a better idea of the campaign’s scope and scale, namely, how the attacker was able to monetize the malware.

Relying heavily on a proxy/server setup, in which one exploit server tells multiple proxy servers what to do, allowed the attacker to pivot and change the malware and deter the attacker from getting caught. In this case Talos observed one server connecting to 147 other proxy servers that obfuscated malicious traffic over the course of 30 days.

The way Talos sees it, Angler ultimately compromises 40 percent of users hit with exploits. Throughout the course of the month, each of the 147 servers compromised 3,600 users, or 529,000 systems total. If roughly three percent of users paid the ransom, the attacker Talos was watching walked away with a cool $3 million a month, or $34 million a year. If Talos and Limestone hadn’t taken the campaign down, the researchers predict Angler could have raked in $60M annually.

Dan Hubbard, CTO of OpenDNS, recently acquired by Cisco, notes that the smoke and mirrors proxy/server technique is still in the developmental stages, but it can be effective until the servers are dismantled.

“We’re seeing criminals build up these sophisticated proxy networks so they can scale linearly, much like a CDN or a real web service. Not only can any of these proxies be taken down without affecting service, but it allows them to obfuscate their true infrastructure,” Hubbard said at OpenDNS’ blog, “While you may think ‘that’s the command-and-control server,’ actually it’s not. It’s just an intermediary between the proxy servers and the real command-and-control or exploit server.”

According to OpenDNS, which breaks the numbers of the campaign down in an infographic, the campaign used 15,000 unique sites to push Angler, and 60 percent of the infections delivered either CryptoWall 3.0 or TeslaCrypt 2.0 to its victims.

Users running old, unpatched versions of Adobe Flash and Internet Explorer were common targets, especially those who frequently navigated to adult websites and obituary websites. Talos believes the attacker used obituary websites as a means to target the elderly, as conventional wisdom maintains they might prove more likely to use unpatched versions of IE and be susceptible to ransomware.

Angler, first identified back in 2013, has managed to really pick up steam over the past 12 months.

In March the kit began using a technique called domain shadowing, in which attackers use stolen domain registrant credentials to create lists of subdomains to either redirect victims to attack sites, or serve as hosts for malicious payloads.

The exploit kit added CryptoWall 3.0 in May, and repeatedly added new Flash vulnerabilities to its arsenal in 2015 — including one in January, May, and one in July, shortly after the Hacking Team breach was disclosed.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually,” Talos researchers wrote of the takedown Tuesday.

Suggested articles