Angler exploit kit may be dead, but malware lives on

The popular exploit kit behind sophisticated web-based attacks and malvertising is gone, but the bad guys will surely regroup with better crimeware tools

Chalk one up for the good guys. When Russian law enforcement busted a banking malware gang for stealing approximately $45 million from the country's financial services firms, it disrupted several other cybercrime operations in progress.

"For a period of three weeks, the internet was safer, if only for a short time," Nick Biasini wrote on the Cisco Talos research blog.

Malware gangs typically operate on multiple fronts, using different types of malware and incorporating different attack methods. This way, if one avenue of attack gets shut down, the attackers can pivot to other activities and keep going with their criminal moneymaking enterprise.

A successful police bust, on the other hand, can shake up the cybercrime landscape as it shuts down multiple operations. The disruption is only temporary, as other players jockey for position and fill the gap left behind, but it's still a welcome respite.

Russian police arrested 50 people in early June for allegedly using the Lurk banking Trojan to steal 1.7 billion rubles over a five-year period. While the authorities have kept a lot of the details quiet, Cisco Talos researchers found links between the group and the Angler exploit kit, so the police actions appear to have had the side benefit of disrupting the kit.

Until early June, Angler was among the most popular crimeware kits in use, showing up in various web-based drive-by-download attacks, including malvertising. The maintainers regularly updated Angler with new features, such as the capability to bypass Microsoft's Enhanced Mitigation Experience Toolkit, and offered the infrastructure to other cybercriminals under a rent-as-you-go model.

Several security firms noted that Angler effectively disappeared after the cybercrime bust by the Russians. Neutrino is now in the top slot for popular exploit kits.

The common thread between Lurk and Angler is a single email address, according to Cisco Talos. This gang is believed to have used Lurk to mimic the Android app from Sberbank, Russia's largest bank, to steal user credentials, which the group used to loot bank accounts. Researchers identified 125 domains linked to Lurk's command-and-control infrastructure, and they discovered 85 percent were using the same email address. The address was also one of the three emails associated with the command-and-control infrastructure used by Bedep malware and Angler exploit kit.  Researchers also found the email address associated with domains redirecting users to Angler instances. Some Angler and Bedep servers also had the same "default" page, hinting the domains may have been controlled by a common group.

"There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them," Biasini wrote.

Angler, which became the top kit after the demise of the Blackhole toolkit back in 2013, frequently used Bedep as its first payload after a successful infection. A dropper file, Bedep downloaded other types of malware on the compromised machine. The sudden drop off in Angler's activity was bigger than expected and significant, Cisco Talos said.

While this isn't Angler's first hiccup, it appears to be the most significant. The exploit kit fell off the radar a couple weeks at the beginning of 2016 for unspecified reasons. The difference between previous blips and the current disruption is that users have been migrating away from Angler to other exploit kits, such as Neutrino and Rig. It also appears that prices for Rig and Neutrino have gone up recently, suggesting a major player has shut down.

"Angler was, by a large margin, the most prolific, successful, and sophisticated compromise platform related to crimeware," Biasini said, noting that Angler customers were making approximately $60 million annually from ransomware infections alone.

Angler may not be the only casualty. The Necurs botnet, which distributed the Locky ransomware and Dridex banking malware and was "widely considered the largest botnet in the world," also had a handful of domains in its command-and-control infrastructure using the same email address. The Necurs botnet went offline for about three weeks, about the same time Lurk shut down and Angler's activity dropped. Locky's distribution decreased to the extent that it looked as if the ransomware had been shut down, suggesting that it relied heavily on the botnet.

"If this one group was running all of these activities, this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars," Biasini wrote.

The disruption for Necurs was only temporary, as it has resumed operations, suggesting the criminals are making too much money to let police action keep them from their activities. When the author of Blackhole exploit kit was arrested, Angler became the top kit due to its highly sophisticated arsenal of exploits. With Angler out, lesser-known kits will try to fill the void, or a brand-new exploit kit with even more advanced capabilities will appear.

Anyone in the original gang who managed to evade arrest could be regrouping, or some other actor may have enough access to seize control and resume operations. Whoever's in control will have learned from the mistakes of their predecessors, making it harder to catch the next round of attackers