Angler Exploit Kit Back in Action

Hi guys,

Angler Exploit Kit (EK) experienced a takedown recently but  is back in business now. On 30-October-2015, ThreatLabZ has noticed that a payload called Cryptowall 3.0 delivered through Angler EK has compromised a  Chinese government website. This compromise does not appear targeted and the compromised site was cleaned up within 24 hours. There are a few recent changes to Angler, including the inclusion of newer Flash exploits.

The “Chuxiong Archives” website, www.cxda[.]gov.cn, was compromised with injected code. It looked similar to both Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive, but in less than 24 hours the site was cleaned.

Angler EK operators have access to the exploit kit again. These attacks were not targeted in nature, but this is apparently the first time EK operators leveraging a government site to target end users. One interesting observation is that we no longer see any Diffie-Helman POST exchange to prevent replaying captured sessions for offline analysis. Additionally, there was a much larger number of C&C servers than we’ve previously observed, and some of the domain names seem to suggest multi-use hosts (e.g.: spam, bitcoin mining, etc). Note that none of the C&C servers are pseudo-randomly generated domains. ThreatLabZ will continue to track new developments with the Angler Exploit Kit.

The full infection cycle from compromised site to encrypted payload is shown in the fiddler session are described in this post: http://research.zscaler.com/2015/11/chinese-government-website-compromised.html

It also has a list of indicators of compromise :)

Cartoon Illustration of Humpback Anglerfish Fish Sea Animal


Source: Akati

Comments are closed.