The Angler Exploit Kit has quickly become one of the most powerful, advanced, and notorious exploit kits on the market, beating out even the venerable Blackhole exploit kit that has caused so much damage to PCs in the past. Angler features an assortment of zero-day exploits specifically designed to penetrate popular browser plugins such as Java, Microsoft Silverlight, and Adobe Flash. Once a vulnerability has been found, Angler is capable of dropping assorted malicious payloads onto the target computer using a technique known as a drive-by download.
When done successfully, a drive-by download is completely undetectable by the PC or the victim and the malware installed as a result can be used for a variety of nefarious purposes. Popular payloads include banking Trojans such as Zeus or Citadel, keylogging software, and ransomware such as Cryptolocker. As if Angler wasn’t dangerous enough, it appears that hackers have recently added a new technique to the exploit kit’s bag of tricks. This new technique, known as “Domain Shadowing”, is being called the next evolution in cybercrime by security experts around the world. Although domain shadowing first appeared in 2011, its use in the Angler Exploit Kit marks the first time this technique – which uses user domain registration logins to create subdomains – has been used specifically to distribute malware more efficiently.
The hackers behind this new iteration of Angler have been actively stealing domain registrant credentials to create thousands of sub domains. These sub domains are consequently used in a “hit and run” style attack designed to redirect victims to malicious websites where dangerous payloads can be downloaded to their PCs without their knowledge or consent.
According to Cisco security researcher Nick Biasini, domain shadowing that uses compromised registrant credentials is the “most effective, difficult to stop technique used by hackers to date.” It is also extremely difficult to track down the cybercriminals behind these attacks because the compromised accounts are selected at random.
In other words, it’s impossible to figure out which domains will be used next. Although this technique could potentially affect any customer owning a domain, Cisco researchers have discovered that most of the compromised domains are linked to GoDaddy customers. At the time of this writing, as many as 10,000 malicious sub domains have been discovered on domains originally registered through the popular domain registrar and hosting service.
This could indicate some sort of breach at GoDaddy, but considering that the company controls almost 33% of all domains on the Internet, it may just be a coincidence stemming from the sheer number of people using GoDaddy to register domain names.
The only way to protect yourself from Angler is to ensure that the latest OS and third party application updates are installed immediately upon release since the exploit kit targets zero-day vulnerabilities. This is especially important for Web browser plugins like Silverlight, Java, and Flash as these are the easiest targets for Angler or any other exploit kits that may be released this year.