Demise of Angler, the world's worst exploit kit, still shrouded in mystery

Not everyone is convinced the Lurk takedown also accounted for Angler


The Angler exploit kit has all-but vanished and whoever knows why isn't talking.

Angler was the most powerful and sought-after exploit kit on the market boasting rapid integration of new vulnerabilities that made it able to employ zero day attacks on Flash, Java, and Silverlight. It also employed a battery of complex obfuscation tricks including file-less infection and bypassing of Microsoft's lauded EMET security tool.

At its then peak, the authors were responsible for a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually.

Two years earlier the malware was responsible for a mere 17 per cent of infections.

But since June Angler has hardly been sighted.

The intelligence community has its theories: perhaps its authors were arrested right in a covert operation staged by Europol. Or maybe Russian agents bagged and blackmailed them, maybe even dropping one or two into the Black Sea, goes another.

The fall of a giant. Image: Cyphort.

The fall of a giant. Image: Cyphort.

The prevailing theory is that the Angler authors were picked up by Russian authorities in June, the same time when Angler activity ceased, as part of sweeping arrests of some 50 hackers in the largest raids of its kind. Some of those hackers are felt to have been associated with the Lurk Trojan.

Cisco Talos researcher Nick Biasini found, as part of checks against some 125 command and control domains, that there are links between whoever registered Angler and Lurk. As we reported in July, it's felt authorities may therefore have killed two birds with one p0wn.

But no confirmation of Angler's fate is forthcoming.

Europol, when asked by The Register, denied an operation to arrest Angler operators under its EC3 cyber unit in somewhat curious language before ceasing communication.

Angler exploit kit activity. Image: F-Secure

Angler exploit kit activity. Image: F-Secure

Russia's Ministry of Interior and FSB have maintained radio silence to this reporter's requests for comment.

A dozen respected private sector intelligence operators from across the world contacted by The Register since Angler dropped dead are also unable to explain what's going on.

The sweeping June arrests collared members of the Lurk trojan group after they broke from prevailing Russian cybercrime convention and compromised local banks.

https://www.youtube.com/watch?v=087ErZBXEJI

A YouTube video shows Russia police footage of the Lurk group raids.

It has been widely thought, and now since proven, that doing so would spark the ire of Russian law enforcement, leading many malware authors to exclude .ru domains and computers set to use the Russian language.

Malwarebytes lead intelligence analyst Jérôme Segura first reported the demise of Angler in June, telling your correspondent at the time that Angler was at its peak in terms of distribution and sophistication.

Links between Lurk and Angler. Image: Cisco Talos.

Links between Lurk and Angler. Image: Cisco Talos.

Links between Lurk and Angler. Image: Cisco Talos.

"Very little is known about what exactly happened with Angler although there is an interesting timing with law enforcement actions such as the Lurk trojan," Segura told The Register.

"Angler had a huge lead in terms of quality and freshness of exploits which the others lack."

Kaspersky's head of investigation Ruslan Stoyanov, who served for six years as a cyber crime investigator for Moscow, reckons Angler went down with Lurk.

"While investigating the activity of the Lurk group, we found a number of technical clues that indicate that members of the group developed and supported the Angler exploit kit," he says in an email. "We discovered that the IT infrastructure behind Angler was tightly connected to the one behind the Lurk botnet which was used for financial attacks."

Stoyanov suggests Angler was a side business for Lurk, in which the owners would rent it out to other crime groups resulting in it infecting users with a scattering of malware variants.

Dmitry Fedotov

Dmitry Fedotov at the time of his arrest.

Cyphort malware investigator Nick Bilogorskiy also sees the timing of the Lurk arrests as a likely explanation for the exploit kit demise. "It was rising steadily throughout 2015 and 2016 and then abruptly stopped in June," Bilogorskiy said in a streamed security conference on exploit kits last month. "A theory is that all these arrests either touched the Angler group or scared them into pausing [their operations] … but it is all speculation and no one knows for sure why Angler is out."

There is still no word from Moscow on the fate of Angler, yet the silence still speaks; federal law enforcement agencies, including those from Moscow, are usually eager to parade cyber criminals in front of press and yet the possible arrest of the world's most damaging hackers has gone unreported.

Calmer waters

Angler rose to prominence in the vacuum created by the 2013 arrest of Dmitry Fedotov, the author of the infamous Black Hole exploit kit.

Neutrino has likewise filled the void to dominate the 70-strong exploit kit market, quickly doubling its monthly asking price from US$3500 to US$7000.

Bilogorskiy has found web domains previously serving Angler have stayed online and switched to pump Neutrino. The exploit kit and rivals have rushed to adopt new vulnerabilities and are involved in significant malvertising and ransomware campaigns.

Yet Segura says the exploit kit landscape remains in "a strange state" with curious activity patterns as black hats jostle in the shadow of Angler.

"Since the loss of Angler, the other exploit kits have not really filled the gap with sophisticated exploits and payload delivery mechanisms," Segura says. "Even the malware campaigns have slowed down, which is rather puzzling. It could very well simply be a lull and I wouldn't be surprised if another exploit kit came around to take the lead." ®

Similar topics


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022