This is a security alert for all TruShield clients and the community at large. TruShield has learned of recent developments in the distribution of the Angler Exploit Kit.
Two of the most common payload delivery methods employed by cybercriminals at the present are malicious office attachments with macros and malicious code in advertisements or “drive-by downloads”. The latter means has been observed most often with exploit kits. One such exploit kit that has frequently been known to use this vector is the Angler EK, which has been in distribution since late 2013. However, a few alterations including a vector shift for the Angler EK have been seen recently along with an attack against a few well-known websites to serve the Angler EK to visitors.
Alterations and Activities
The first phase of the recent alterations to the Angler EK is an email campaign that uses a subject line mimicking an online order confirmation. The emails contain links to websites that have compromised content management systems and serve the Angler EK to victims. This instance of the Angler EK also attempts to infect systems with Dridex ID 122. The second phase of alterations is another email campaign involving a sales increase offer that copies a legitimate business or false involve. The links contained are used for a similar approach along with randomization and a wider variety of hostnames. These changes are not entirely new, nor are Dridex malware a new threat; rather this represents a resurgence of tactics similar to those previously used. It is however; very worthwhile to consider that this activity comes during the same week that noticeable Angler EK distribution activity was seen. This activity involved malicious advertisements using iframes to spread the Angler EK that were served on two websites for CBS related TV stations: WBTV in Charlotte, NC and KMOV in St. Louis, MO.
Assembling the Pieces
Although neither the exploit kit nor the malware itself are new, due to the widespread nature of both, it is important to carefully view shifting tactics. This is especially true for those in the financial services industry since Dridex is primarily known to target banks and financial institutions in North America. Tighter controls on email, such as only allowing approved vendor and customer domains could be valuable. Also, this brings to the forefront the importance of educating users on multiple malicious tactics and how they may be altered to reduce suspicion and increase the odds of infection. Finally, the recent spread via malicious advertisements on known news related websites is a reminder that a user’s trust of a website may be used by attackers and access to non-business related sites should be blocked to reduce overall risk.
Indicators of Compromise
|SHA 256 Hash|
|Related IPs and Sites|
Mitigation and Prevention
- Do not open email that is unexpected or from unknown senders.
- Educate users on multiple malicious strategies and simple alterations.
- Use updated antimalware and antivirus products.
- Compare unknown files with known IOCs.
- Use application control software with a base deny policy on executables.
- Isolate infected systems from the network.
- Monitor systems for registry or file changes.
- Keep systems patched with the latest updates.
- Continuously monitor network traffic for C&C communication.