News Feature | August 25, 2015

Sophos Report Examines Angler Exploit Kit

Christine Kern

By Christine Kern, contributing writer

Sophos Report Examines Angler Exploit Kit

Exploit kits have become widely adopted by criminals looking to infect users with malware. A Sophos blog explains in a process called a drive-by download, criminals are, undetected, able to navigate a user’s browser to a malicious website that hosts an exploit kit. The exploit kit then leverages vulnerabilities in order to infect the user with malware.

According to Kaspersky Labs, while the Angler exploit kit has already established itself as one of the most sophisticated kits available, it also is still evolving. Just recently, reported, “An attack aiming to infect POS [point of sale] systems was found using the Angler Exploit Kit to push a POS reconnaissance Trojan.”

Recently, SophosLab published a research article written by Fraser Howard examining the Angler exploit kit, to reveal its tactics and techniques. Angler first emerged in late 2013 and has grown to completely dominate the exploit kit scene in 2015, accounting for more than three-quarters of malware infections caused by exploit kits, according to SophosLabs.

Howard says that the rise of Angler is due to several factors:

  • Quicker adoption of new zero-day exploits, including several zero-day recent zero-day AdobeFlash vulnerabilities
  • Slicker marketing among criminals
  • Attractive pricing (better returns for the criminals paying for the kit)

Angler is also successful because it attempts to evade detection at every level:

  • Angler makes itself a moving target by rapidly switching the hostnames and IP numbers it uses.
  • Angler trades on (and ruins in the process) the online reputation of legitimate companies by piggybacking on their DNS servers.
  • Angler mutates its attack components for each potential victim using a variety of encoding and encryption techniques that bypass naive content filters.
  • Angler hinders the security researchers who are tracking by it using tricks such as obfuscation and anti-sandboxing.

Find more information on the Sophos Blog in the post “A closer look at the Angler exploit kit.”