This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.
Executive Summary
Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.
In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.
Cisco then took action:
- Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
- Released Snort rules to detect and block checks from the health checks
- All rules are being released to the community through Snort
- Publishing communications mechanisms including protocols so others can protect themselves and customers.
- Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers
This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.
Watch Angler compromise a box and install ransomware at the end of the video.
Technical Overview
It seems like every week Angler Exploit Kit is in the news, whether it’s Domain Shadowing, 0day integration, or large scale malvertising campaigns, it consistently dominates the threat landscape. It’s a constant fight between the adversaries and the defenders. We are constantly monitoring and updating coverage for the threat. Based on this constant battle, Talos decided to dive deep on Angler’s telemetry data and has made some astounding discoveries.
The dataset was originally from July 2015 and included data from all sources available. July provided a unique opportunity because Angler went through several iterations of development, including URL structure changes and implementation of several unpatched Adobe Flash vulnerabilities. During the analysis, trends and patterns emerged. This paper will discuss trends in hosting, domain usage, referers, exploits, and payloads. It was the trends associated with the hosting that lead to the most significant discoveries.
While analyzing the data we found that a large amount of Angler activity was focused with a single hosting provider, Limestone Networks. Talos collaborated with Limestone to gather some previously unknown insight into Angler. This includes details related to data flow, management, and scale.
Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers. The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure. Additionally, there is a health monitoring server that is conducting health checks, gathering information about the hosts that are being served exploits, and remotely erase the log files once they have been fetched. This health server revealed the scope and scale of the campaign, and helped allow us to put a monetary value on the activity.
A single health server was seen monitoring 147 proxy servers over the span of a month and generating in excess of $3,000,000 USD in revenue. This single adversary was responsible for approximately half of the Angler activity we observed and is making more than $30,000,000 USD annually from Ransomware infections alone.
The monetization of the malware economy has continued to evolve over the last several years. Every single year we see small innovations that lead towards the occasional major advance. Today we’re seeing the results of years of major advances being combined with a drive by download vector to form one of the most effective and profitable attacks facing the internet.
Due to the dynamic nature of some of the content the full article can be found at talosintel.com here.
XLHost needs to have a little light shined on it!
206.222.25.56/29 US/OH XLHost Angler exploit kit .61 10/6/2015
173.45.99.16/29 US/OH XLHost Angler exploit kit .18,.19 10/5/2015
173.45.99.8/29 US/OH XLHOST Angler exploit kit .12 10/1/2015
207.182.129.152/29 US/OH XLHOST Angler exploit kit .154 9/29/2015
207.182.130.184/29 US/OH XLHOST Angler exploit kit .187 9/29/2015
64.79.71.112/29 US/OH XLHOST Bedep call back 9/25/2015
207.182.157.152/29 US/OH XLHOST Angler exploit kit .158 9/14/2015
207.182.159.216/29 US/OH XLHost Angler exploit kit .219 7/23/2015
209.190.51.208/29 US/OH XLHost Angler exploit kit .210 7/23/2015
Example 1 – 10/6/2015)
ia15.org is redirecting to creeper-1krautschneider.bennet.ws IP 206.222.25.61 US/OH XLHost, ANGLER exploit kit
Packet capture
E….’@.|..q.Jwn…=.v.P..j7ap..P…….GET /civis/search.php?keywords=4o&fid0=74137.677d2ph610i5ut84 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.ia15.org/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: creeper-1krautschneider.bennet.ws
Example 2 – 10/6/2015)
soundpointre.com is redirecting to creeper-1krautschneider.bennet.ws IP 206.222.25.61 US/OH XLHost, ANGLER exploit kit
Packet capture
E…7.@.}.c..J.e…=…P …m…P…….GET /forums/search.php?keywords=05&fid0=z64466krhy81775. HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://soundpointre.com/keith-bruce/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: creeper-1krautschneider.bennet.ws
Jim thanks for the information. They’ve already been added to our Blacklist.
Tim thanks for the information. We already had this one on our blacklist as well.
Excellent Job.