Earlier this fall, researchers struck a significant blow against the Angler Exploit Kit. Security blogger Graham Cluley explains in a blog post how analysts with Cisco’s Talos Security Intelligence and Research Group analyzed the exploit kit and traced one of the primary locations for its proxy servers back to Limestone Networks located in Dallas, TX. After securing Limestone's cooperation, the researchers updated Cisco's products to block redirects to Angler's proxy servers. This move allegedly nullified approximately half of the exploit kit's activity. Despite the weakening of Angler's strength, however, Heimdal Security has observed that the exploit kit is still up to no good.
"Our team has recently monitored and analysed a new stack of drive-by campaigns which aim to spread the Angler exploit kit by injecting malicious code into compromised web pages," writes Heimdal. "Because of the mechanisms involved and the attackers’ objectives, the campaign is prone to achieve large distribution and affect a big number of PCs and their users."
Each of the drive-by campaigns proceeds according to two phases. In the first phase, the Pony malware is installed on a machine in an attempt to harvest login credentials connected to web servers and CMS systems used by websites. These usernames and passwords are sent via a command and control (C&C) server to the attackers, who hope to abuse the web credentials and subsequently inject malicious scripts into the compromised websites so that they can broaden the scope of their campaigns. The second phase redirects a visitor from a legitimate (now compromised) website to a series of domains, including entelrgy [.] net, websites4all [.] net, and ISV [.] isigmasystems [.] net. All of those locations drop the Angler exploit kit, which scans for vulnerabilities in third-party software and Microsoft Windows processes. Once a hole has been found, Angler exploits it to install CryptoWall 4.0. The newest version of CryptoWall has been observed prowling about the wild since the beginning of November. Most of its early activity related to malicious spam, but things changed later on in the month when Brad Duncan, a security researcher at Rackspace, observed that the Nuclear Exploit Kit was distributing the ransomware. CryptoWall 4.0 distinguishes itself from its predecessors with an upbeat warning message that it displays upon successful infection. "Congratulations," the message reads. "You have become a part of large community CryptoWall!" The ransomware variant also encrypts filenames in addition to data, which according to Chris Brook of Threatpost makes it more difficult for victims to recover their data without paying the ransom. Then again, this latter tactic could provide those affected by the malware with an advantage. Bob Covello, a technology veteran and information security analyst, explains:
"[W]ith the new filename encryption feature, the instant you see files changing names in your folders or on your desktop, you can pull the plug on the machine to stop the encryption process," writes Covello, noting that this is one of the times where you want to instantly cut the power to your machine. "The filename encryption can act as a canary warning, alerting you that something is wrong in advance of complete damage. You may not always be watching your file folders, but if your timing is right, you may be able to pre-empt the process."
Heimdal has tracked down the source of these drive-by campaigns to a fortified hosting environment located in the Ukraine. All ready, some 100 web pages in Denmark have been infected. However, the security firm has blocked at least an additional 200 domains all over the world that are currently serving up Angler and CryptoWall 4.0. To protect against these campaigns, users are urged to keep their systems updated, back up their information frequently, and stay away from suspicious websites. More information can be found on ransomware and how to avoid becoming a victim here.
