Angler Exploit Kit Introduces New Trick

The Angler Exploit Kit has quickly become one of the most powerful, advanced, and notorious exploit kits on the market, beating out even the venerable Blackhole exploit kit that has caused so much damage to PCs in the past. Angler features an assortment of zero-day exploits specifically designed to penetrate popular browser plugins such as Java, Microsoft Silverlight, and Adobe Flash. Once a vulnerability has been found, Angler is capable of dropping assorted malicious payloads onto the target computer using a technique known as a drive-by download.

When done successfully, a drive-by download is completely undetectable by the PC or the victim and the malware installed as a result can be used for a variety of nefarious purposes. Popular payloads include banking Trojans such as Zeus or Citadel, keylogging software, and ransomware such as Cryptolocker. As if Angler wasn’t dangerous enough, it appears that hackers have recently added a new technique to the exploit kit’s bag of tricks. This new technique, known as “Domain Shadowing”, is being called the next evolution in cybercrime by security experts around the world. Although domain shadowing first appeared in 2011, its use in the Angler Exploit Kit marks the first time this technique – which uses user domain registration logins to create subdomains – has been used specifically to distribute malware more efficiently.

The hackers behind this new iteration of Angler have been actively stealing domain registrant credentials to create thousands of sub domains. These sub domains are consequently used in a “hit and run” style attack designed to redirect victims to malicious websites where dangerous payloads can be downloaded to their PCs without their knowledge or consent.

According to Cisco security researcher Nick Biasini, domain shadowing that uses compromised registrant credentials is the “most effective, difficult to stop technique used by hackers to date.” It is also extremely difficult to track down the cybercriminals behind these attacks because the compromised accounts are selected at random.

angler exploit kit domain shadowing

In other words, it’s impossible to figure out which domains will be used next. Although this technique could potentially affect any customer owning a domain, Cisco researchers have discovered that most of the compromised domains are linked to GoDaddy customers. At the time of this writing, as many as 10,000 malicious sub domains have been discovered on domains originally registered through the popular domain registrar and hosting service.

This could indicate some sort of breach at GoDaddy, but considering that the company controls almost 33% of all domains on the Internet, it may just be a coincidence stemming from the sheer number of people using GoDaddy to register domain names.

The only way to protect yourself from Angler is to ensure that the latest OS and third party application updates are installed immediately upon release since the exploit kit targets zero-day vulnerabilities. This is especially important for Web browser plugins like Silverlight, Java, and Flash as these are the easiest targets for Angler or any other exploit kits that may be released this year.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal