Tuesday, March 28, 2017
Home / Malware / Angler Exploit Kit remains undetected

Angler Exploit Kit remains undetected

Angler exploit kit first showed up in late 2013, and ever since then has dramatically gained popularity on underground forums. Its ambitious tactics for avoiding detection by security applications have led to many updates and improvements of components it utilizes (HTML, JavaScript, Flash, Silverlight, Java and more). Angler can be quite common. For instance, in May 2015, Sophos discovered countless new web pages infected with Angler’s landing pages every day.

Angler has been on the rise ever since 2015, as shown in the chart below:

Angler Exploit kit growth

Since the shutdown of the Blackhole exploit kit in 2013 after the owners were detained and sentenced. Blackhole’s compeitors have been growing at a exponential rate with Angler being the largest in 2015.

Angler uses landing pages to initiate exploits, typically using a mixture of HTML and JavaScript to gather data about its victim including the browser and plugins installed.  Angler looks for various security tools and virtualization software to prevent it from being analyzed by researchers. So far these tactics have been working, as you can see in a scan of the exploit kit on Virustotal.

Angler's code checks for various security tools
Credits go to blogs.sophos.com

The degree of sophistication in exploits kits has grown dramatically through the years. Where obfuscation and new zero days had been the only real improvements in each release, evasive code has been seen being inserted into the framework and shellcode.

Organizations can help mitigate these threats by consistently keeping plugins, browsers and third party software up to date. Disabling plugins such as Java, Flash and Silverlight can also reduce the chance of being exploited.

For a full analysis on the Angler exploit kit, check out FireEye’s full analysis.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …