{"id":15107,"date":"2015-10-12T16:28:07","date_gmt":"2015-10-12T16:28:07","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4636"},"modified":"2019-11-15T07:01:20","modified_gmt":"2019-11-15T12:01:20","slug":"angler-down","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/angler-down\/15107\/","title":{"rendered":"Angler Exploit Kit is 50% down, a large ransomware campaign dismantled"},"content":{"rendered":"

Threatpost had a story<\/a> last week describing a disruption of a large ransomware campaign connected to the Angler exploit kit. Experts from Cisco\u2019s Talos security group \u201ceffectively nillified 50 percent of the exploit kit\u2019s activity\u201d.<\/p>\n

Angler<\/strong><\/p>\n

Angler is a notorious exploit kit, considered to be one of the most sophisticated kits on the underground market.<\/p>\n

It has some peculiar capabilities such as detecting virtual machines like VMware, VirtualBox, Parallels, etc. VMs are often used as honeypots and test beds by security researchers, and Angler\u2019s authors have gone to great lengths to prevent their creation from being investigated. Angler detects a web debugging proxy called Fiddler, also popular among researchers. Once\u00a0detected, the kit bolts immediately, so it is a really tough nut to crack for researchers.<\/p>\n

Angler is one of the fastest kits to incorporate newly released zero-days. Its operators are probably searching for them extensively. Angler\u2019s malware runs from memory, without having to write to the hard drives of its victims.<\/p>\n

The kit is also closely associated with ransomware \u2013 CryptoWall 3.0 or TeslaCrypt 2.0<\/a> variants, namely.<\/p>\n

Angler Exploit Kit down, ransomware campaign dismantled #exploits #ransomware<\/p>Tweet<\/a><\/blockquote>\n

Tango down, or\u2026?<\/strong><\/p>\n

Now its wings have \u2013 more or less \u2013 been\u00a0clipped. Its weak point appeared to be a hosting service where many of its proxy servers were located \u2013 Limestone Networks, based in Dallas, US.<\/p>\n

Limestone provided researchers with disk images of the servers that were being used to carry out the malicious activity. It appeared that one server was connecting to 147 other proxy servers that obfuscated malicious traffic over the course of 30 days.<\/p>\n

Over a month of monitoring, researchers saw each of those 147 servers compromising 3,600 users \u2013 529,000 in total. Even if roughly 3% of users paid the ransom, Threatpost says, the attacker\u2019s loot was up to $3 million a month.<\/p>\n

The common targets were users of old, unpatched versions of Adobe Flash and Internet Explorer, especially those who frequented adult websites and \u2013 a nefarious detail \u2013 obituary websites. Researchers said they believe the attacker(s) used obituary websites as a means to target the elderly, as conventional wisdom maintains they might prove more likely to use unpatched versions of IE and be susceptible to ransomware.<\/p>\n

You are welcome to choose a descriptive word of your liking for those attackers in the comments. My own is too unparliamentary for text like this.<\/p>\n

Our colleagues from Talos did\u00a0a grand job with Angler. Hopefully this kit will\u00a0be dismantled completely one day, like Blackhole before it.<\/p>\n

<\/b>A solution for a problem<\/strong><\/p>\n

Exploit kits are a long-standing problem<\/a> for end-users and businesses alike: the kits check the attacked system against a multitude of vulnerabilities \u2013 including the zero-days \u2013 and if any are discovered, infection promptly ensues.<\/p>\n

Before the dismantling, attackers behind Angler could earn up to $3m per month\u00a0#Angler #ransomware<\/p>Tweet<\/a><\/blockquote>\n

Beating exploits requires behavior analysis. Malware programs may be plentiful and varied, but most of them have similar behavioral patterns.<\/p>\n

Kaspersky Lab\u2019s Automatic Exploit Prevention uses the information about the most typical behavior of the known exploits which helps to prevent infection even in the case of a previously unknown zero-day vulnerability exploit.<\/p>\n

Exploits are quite often preload files prior to directly contaminating the system. Automatic Exploit Prevention monitors programs appealing to the network and analyzes the source files. If anything suspicious is going on, the appropriate traffic gets blocked.<\/p>\n

Check this page<\/a> to find out more about Automatic Exploit Prevention technology.<\/p>\n","protected":false},"excerpt":{"rendered":"

Threatpost had a story last week describing a disruption of a large ransomware campaign connected to the Angler exploit kit. Experts from Cisco’s Talos security group “effectively nillified 50 percent of the exploit kit’s activity”.<\/p>\n","protected":false},"author":209,"featured_media":15390,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[1781,1171,420],"class_list":{"0":"post-15107","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-angler","10":"tag-exploits","11":"tag-ransomware"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/angler-down\/15107\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/angler-down\/15010\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/angler-down\/15107\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/angler-down\/15107\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/angler\/","name":"Angler"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15107"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15107\/revisions"}],"predecessor-version":[{"id":30388,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15107\/revisions\/30388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15390"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}