Angler & Domain Shadowing

Cisco blog

Angler is currently the best exploit kit on the market
. The security industry has been waiting in anticipation to see which kit would replace “Blackhole”. While Angler may not have replaced Blackhole in terms of volume, the high level of sophistication and widespread usage leads us to declare Angler as the winner. It has shown the capability of integrating new exploits, including 0-days, quickly and effectively. With a new technique we’re calling Domain Shadowing, Angler has shown it is working hard to avoid standard detection.

Domain shadowing is the process of using users domain registration logins to create subdomains (i.e. says.imperialsocks.com). Angler Exploit Kit has begun utilizing these hijacked domain registrant accounts to serve malicious content. This is an increasingly effective attack vector since most individuals don’t monitor their domain registrant accounts regularly. These accounts are typically compromised through phishing. The threat actor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple domains this can provide a nearly endless supply of domains. Talos has found several hundred accounts that have been compromised that have control of thousands of unique domains. We have identified close to 10K unique subdomains being utilized. This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses. Since this campaign has done an exceptional job of rotation not only the subdomains, but also the IP addresses associated with the campaign. Additionally, these subdomains are being rotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and analysis. This is all done with the users already registered domains. No additional domain registration was found.

This recent campaign has been running since late December and coupled with the recent Flash 0-day has shown to be a new evolution in exploit kits. Utilizing 0-days and advanced evasion techniques were once reserved for targeted attacks and are now being packaged as the next evolution in the productized industrialization of hacking. This illustrates how products like Angler have raised the bar for the effectiveness of user driven exploit frameworks putting it in the same arena as the advanced threat market. Previously, the information security industry has been trying to focus on detecting the threats like common, user targeted attacks while taking an “its not if, but when” approach to the advanced threats. Angler is now in the category of “not if, but when your organization will be impacted.”