The Angler exploit kit is using a new method of evasion that allows it to compromise victims before information security experts have a chance to respond.
In an article published on Cisco’s Threat Research blog, Nick Biasini, a Threat Researcher for the Talos Security Intelligence and Research Group, discusses Angler’s new technique, which he has dubbed ‘Domain Shadowing.’
“Domain Shadowing is the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.”
This technique is usually perpetrated via phishing attacks.
Biasini explains that attackers use these compromised credentials to create sub-domains, which are then arranged in multiple tiers.
The attack vector proceeds as follows. Web browsers serve up malicious ads to users, who upon clicking the ads are redirected to the first tier of subdomains, known as the “gate.”
This tier then redirects users to the actual landing page that hosts the Angler exploit kit, which serves either an Adobe Flash or Microsoft Silver exploit.
The final page is rotated frequently, with many active for only a matter of minutes.
As a result, some observers are commenting on the similarities shared by domain shadowing and fast flux, or the rapid rotation of a large list of IP addresses to which a single domain or DNS entry points.
Domain shadowing builds upon this technique used by fast flux and instead rotates subdomains to point to a single domain or group of IP addresses, introducing what Biasini has called the new “productised industrialisation of hacking” previously employed only by advanced targeted attackers.
At least 10,000 subdomains, many of which are registered with GoDaddy, have been created for this particular attack vector thus far.
Angler has replaced the Blackhole EK in its sophistication and widespread usage, making it the “best” exploit kit on the market today.