Angler exploit kit first showed up in late 2013, and ever since then has dramatically gained popularity on underground forums. Its ambitious tactics for avoiding detection by security applications have led to many updates and improvements of components it utilizes (HTML, JavaScript, Flash, Silverlight, Java and more). Angler can be quite common. For instance, in May 2015, Sophos discovered countless new web pages infected with Angler’s landing pages every day.
Angler has been on the rise ever since 2015, as shown in the chart below:
Since the shutdown of the Blackhole exploit kit in 2013 after the owners were detained and sentenced. Blackhole’s compeitors have been growing at a exponential rate with Angler being the largest in 2015.
Angler uses landing pages to initiate exploits, typically using a mixture of HTML and JavaScript to gather data about its victim including the browser and plugins installed. Angler looks for various security tools and virtualization software to prevent it from being analyzed by researchers. So far these tactics have been working, as you can see in a scan of the exploit kit on Virustotal.
The degree of sophistication in exploits kits has grown dramatically through the years. Where obfuscation and new zero days had been the only real improvements in each release, evasive code has been seen being inserted into the framework and shellcode.
Organizations can help mitigate these threats by consistently keeping plugins, browsers and third party software up to date. Disabling plugins such as Java, Flash and Silverlight can also reduce the chance of being exploited.
For a full analysis on the Angler exploit kit, check out FireEye’s full analysis.