How the powerful and dangerous angler exploit kit works

Posted on

The Angler Exploit Kit is a very powerful and advanced exploit kits used by hackers. This kit is considered more powerful Blackhole exploit kit by many information security and ethical hacking training experts as it has caused bigger number of infection.


Why angler exploit kit is powerful and dangerous

  1. Angler exploit kit uses a different zero-day exploits to exploit browser plugins like Java, Adobe Flash and Microsoft Silverlight.
  2. Angler uses the drive-by download technique to drop the malware/payload depending upon the vulnerability in the machine. Also known as fileless infection (memory injection), the exploit runs in RAM. The code is injected into some running process, such as iexplore.exe or javaw.exe, which is then used for the exploit. Because the exploit code doesn’t exist as a file, it cannot be detected via intrusion prevention systems and antivirus programs. The payload is usually a program called a dropper whose purpose is to download and install one or more malware programs.
  1. The payloads used in the kit include banking Trojans like Zeus or Citadel, ransomware such as Cryptolocker, Bedep marketing malware and keylogging software.
  1. Angler also uses new technique known as “Domain Shadowing” which is an evolution in then cybercrime mentions security experts from International Institute of cyber security. Even though, domain shadowing was used before in 2011, in this technique Angler Exploit Kit uses legal hacked domains to create subdomains and distribute malware. Domain shadowing uses compromised registrant credentials and is very difficult to stop. It is also very difficult to track down the cybercriminals behind these attacks because the compromised accounts are selected at random. Thus bad URL or a URL blacklist doesn’t work here to protect against the attack.
  1. Angler Kit changes hash and payloads by using level of page redirections before reaching the final exploit page so that the security products cannot detect it. It uses 302 Cushioning, or a ‘cushion attack’, to redirect victims to malicious sites without the use of techniques, such as hidden iframes or external script tags.
  2. Compromised web servers hosting the exploit kit-landing page can be visited only once from an IP and the hackers are actively monitoring the servers. So that reverse engineering is difficult as per malware reverse engineering and ethical hacking course expert from Mexico, Mike Stevens.
  3. It can detect virtual machines and security products in victim system and decide not to run the exploit. So that antivirus company can’t do the reverse engineering of the exploit kit.
  4. Angler exploit kit uses encryption and web page obfuscation and decryption of payload at victim machine.


How Angler Exploit Kit works

  1. Victim accesses a webpage and receives an advertisement pop up. This ad is webpage of compromised web server.
  2. This compromised web server web page redirects to an intermediate server. So that IDS/IPS cannot detect the malware.
  3. Intermediate server redirects to a hacker web server hosting the angler exploit kit’s landing webpage.
  4. Angler exploit kit page checks for the presence of vulnerable browser plug-ins (Java, Flash, and Silverlight) and their version information. Also it checks for virtual machine and security software like malware reverse engineering software.
  5. If security software is found then the exploit just gives the java script error.
  6. When a vulnerable browser or plug-ins is found with no security software, the exploit kit delivers the proper encrypted payload and which is decrypted in RAM and code in injected into some running process, such as iexplore.exe or javaw.exe, which is then exploited to get a persistent access to the machine mentioned information security training expert, Jim Taylor.
  7. angler-explot-kit mexico
    angler-explot-kit mexico

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s