Angler Exploit Kit

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

  • This field is for validation purposes and should be left unchanged.

Angler Exploit Kit

This is a security alert for all TruShield clients and the community at large. TruShield has learned of recent developments in the distribution of the Angler Exploit Kit. 

Introduction

Two of the most common payload delivery methods employed by cybercriminals at the present are malicious office attachments with macros and malicious code in advertisements or “drive-by downloads”. The latter means has been observed most often with exploit kits. One such exploit kit that has frequently been known to use this vector is the Angler EK, which has been in distribution since late 2013. However, a few alterations including a vector shift for the Angler EK have been seen recently along with an attack against a few well-known websites to serve the Angler EK to visitors.

Alterations and Activities

The first phase of the recent alterations to the Angler EK is an email campaign that uses a subject line mimicking an online order confirmation. The emails contain links to websites that have compromised content management systems and serve the Angler EK to victims. This instance of the Angler EK also attempts to infect systems with Dridex ID 122. The second phase of alterations is another email campaign involving a sales increase offer that copies a legitimate business or false involve. The links contained are used for a similar approach along with randomization and a wider variety of hostnames. These changes are not entirely new, nor are Dridex malware a new threat; rather this represents a resurgence of tactics similar to those previously used. It is however; very worthwhile to consider that this activity comes during the same week that noticeable Angler EK distribution activity was seen. This activity involved malicious advertisements using iframes to spread the Angler EK that were served on two websites for CBS related TV stations: WBTV in Charlotte, NC and KMOV in St. Louis, MO.

Assembling the Pieces

Although neither the exploit kit nor the malware itself are new, due to the widespread nature of both, it is important to carefully view shifting tactics. This is especially true for those in the financial services industry since Dridex is primarily known to target banks and financial institutions in North America. Tighter controls on email, such as only allowing approved vendor and customer domains could be valuable. Also, this brings to the forefront the importance of educating users on multiple malicious tactics and how they may be altered to reduce suspicion and increase the odds of infection. Finally, the recent spread via malicious advertisements on known news related websites is a reminder that a user’s trust of a website may be used by attackers and access to non-business related sites should be blocked to reduce overall risk.

Indicators of Compromise

SHA 256 Hash
8f642cfd16802caa2ce89c9bb7562d6fe704da61272bba31d560e09800ccf2d4
464e3d942feb282b7a0490dfeae07c719911b279feb8adb71c682470ea4d9544
Related IPs and Sites
212.200.96[dot]25:8080
212.227.162[dot]50:8080
50.31.146[dot]101:8080
enroll.greaternevadacreditunion[dot]net:8080
enroll.greaternevadafinancial[dot]com:8080
recover.greaternevadainvestments[dot]com:8080
recover.greaternevadamortgage[dot]com:8080
signin.greaternevadafinancialservices[dot]com:8080
signin.greaternevadainsuranceservices[dot]com:8080
199.255[dot]137.197
som.barkisdesign[dot]com

 

Mitigation and Prevention

  • Do not open email that is unexpected or from unknown senders.
  • Educate users on multiple malicious strategies and simple alterations.
  • Use updated antimalware and antivirus products.
  • Compare unknown files with known IOCs.
  • Use application control software with a base deny policy on executables.
  • Isolate infected systems from the network.
  • Monitor systems for registry or file changes.
  • Keep systems patched with the latest updates.
  • Continuously monitor network traffic for C&C communication.

References

https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

http://blog.talosintel.com/2016/05/angler-phish.html

https://blog.malwarebytes.org/threat-analysis/2016/05/cbs-affiliated-television-stations-expose-visitors-to-angler-exploit-kit/

Download the PDF Version

Leave a reply

Copyright © 2016