Demise of Angler, the world's worst exploit kit, still shrouded in mystery
Not everyone is convinced the Lurk takedown also accounted for Angler
The Angler exploit kit has all-but vanished and whoever knows why isn't talking.
Angler was the most powerful and sought-after exploit kit on the market boasting rapid integration of new vulnerabilities that made it able to employ zero day attacks on Flash, Java, and Silverlight. It also employed a battery of complex obfuscation tricks including file-less infection and bypassing of Microsoft's lauded EMET security tool.
At its then peak, the authors were responsible for a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually.
Two years earlier the malware was responsible for a mere 17 per cent of infections.
But since June Angler has hardly been sighted.
The intelligence community has its theories: perhaps its authors were arrested right in a covert operation staged by Europol. Or maybe Russian agents bagged and blackmailed them, maybe even dropping one or two into the Black Sea, goes another.
The prevailing theory is that the Angler authors were picked up by Russian authorities in June, the same time when Angler activity ceased, as part of sweeping arrests of some 50 hackers in the largest raids of its kind. Some of those hackers are felt to have been associated with the Lurk Trojan.
Cisco Talos researcher Nick Biasini found, as part of checks against some 125 command and control domains, that there are links between whoever registered Angler and Lurk. As we reported in July, it's felt authorities may therefore have killed two birds with one p0wn.
But no confirmation of Angler's fate is forthcoming.
Europol, when asked by The Register, denied an operation to arrest Angler operators under its EC3 cyber unit in somewhat curious language before ceasing communication.
Russia's Ministry of Interior and FSB have maintained radio silence to this reporter's requests for comment.
A dozen respected private sector intelligence operators from across the world contacted by The Register since Angler dropped dead are also unable to explain what's going on.
The sweeping June arrests collared members of the Lurk trojan group after they broke from prevailing Russian cybercrime convention and compromised local banks.
A YouTube video shows Russia police footage of the Lurk group raids.
It has been widely thought, and now since proven, that doing so would spark the ire of Russian law enforcement, leading many malware authors to exclude .ru domains and computers set to use the Russian language.
Malwarebytes lead intelligence analyst Jérôme Segura first reported the demise of Angler in June, telling your correspondent at the time that Angler was at its peak in terms of distribution and sophistication.
Links between Lurk and Angler. Image: Cisco Talos.
"Very little is known about what exactly happened with Angler although there is an interesting timing with law enforcement actions such as the Lurk trojan," Segura told The Register.
"Angler had a huge lead in terms of quality and freshness of exploits which the others lack."
Kaspersky's head of investigation Ruslan Stoyanov, who served for six years as a cyber crime investigator for Moscow, reckons Angler went down with Lurk.
"While investigating the activity of the Lurk group, we found a number of technical clues that indicate that members of the group developed and supported the Angler exploit kit," he says in an email. "We discovered that the IT infrastructure behind Angler was tightly connected to the one behind the Lurk botnet which was used for financial attacks."
Stoyanov suggests Angler was a side business for Lurk, in which the owners would rent it out to other crime groups resulting in it infecting users with a scattering of malware variants.
Dmitry Fedotov at the time of his arrest.
Cyphort malware investigator Nick Bilogorskiy also sees the timing of the Lurk arrests as a likely explanation for the exploit kit demise. "It was rising steadily throughout 2015 and 2016 and then abruptly stopped in June," Bilogorskiy said in a streamed security conference on exploit kits last month. "A theory is that all these arrests either touched the Angler group or scared them into pausing [their operations] … but it is all speculation and no one knows for sure why Angler is out."
There is still no word from Moscow on the fate of Angler, yet the silence still speaks; federal law enforcement agencies, including those from Moscow, are usually eager to parade cyber criminals in front of press and yet the possible arrest of the world's most damaging hackers has gone unreported.
Angler rose to prominence in the vacuum created by the 2013 arrest of Dmitry Fedotov, the author of the infamous Black Hole exploit kit.
Neutrino has likewise filled the void to dominate the 70-strong exploit kit market, quickly doubling its monthly asking price from US$3500 to US$7000.
Bilogorskiy has found web domains previously serving Angler have stayed online and switched to pump Neutrino. The exploit kit and rivals have rushed to adopt new vulnerabilities and are involved in significant malvertising and ransomware campaigns.
Yet Segura says the exploit kit landscape remains in "a strange state" with curious activity patterns as black hats jostle in the shadow of Angler.
"Since the loss of Angler, the other exploit kits have not really filled the gap with sophisticated exploits and payload delivery mechanisms," Segura says. "Even the malware campaigns have slowed down, which is rather puzzling. It could very well simply be a lull and I wouldn't be surprised if another exploit kit came around to take the lead." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust