Demise of Angler, the world's worst exploit kit, still shrouded in mystery

Not everyone is convinced the Lurk takedown also accounted for Angler

The Angler exploit kit has all-but vanished and whoever knows why isn't talking.

Angler was the most powerful and sought-after exploit kit on the market boasting rapid integration of new vulnerabilities that made it able to employ zero day attacks on Flash, Java, and Silverlight. It also employed a battery of complex obfuscation tricks including file-less infection and bypassing of Microsoft's lauded EMET security tool.

At its then peak, the authors were responsible for a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually.

Two years earlier the malware was responsible for a mere 17 per cent of infections.

But since June Angler has hardly been sighted.

The intelligence community has its theories: perhaps its authors were arrested right in a covert operation staged by Europol. Or maybe Russian agents bagged and blackmailed them, maybe even dropping one or two into the Black Sea, goes another.

The fall of a giant. Image: Cyphort.

The fall of a giant. Image: Cyphort.

The prevailing theory is that the Angler authors were picked up by Russian authorities in June, the same time when Angler activity ceased, as part of sweeping arrests of some 50 hackers in the largest raids of its kind. Some of those hackers are felt to have been associated with the Lurk Trojan.

Cisco Talos researcher Nick Biasini found, as part of checks against some 125 command and control domains, that there are links between whoever registered Angler and Lurk. As we reported in July, it's felt authorities may therefore have killed two birds with one p0wn.

But no confirmation of Angler's fate is forthcoming.

Europol, when asked by The Register, denied an operation to arrest Angler operators under its EC3 cyber unit in somewhat curious language before ceasing communication.

Angler exploit kit activity. Image: F-Secure

Angler exploit kit activity. Image: F-Secure

Russia's Ministry of Interior and FSB have maintained radio silence to this reporter's requests for comment.

A dozen respected private sector intelligence operators from across the world contacted by The Register since Angler dropped dead are also unable to explain what's going on.

The sweeping June arrests collared members of the Lurk trojan group after they broke from prevailing Russian cybercrime convention and compromised local banks.

A YouTube video shows Russia police footage of the Lurk group raids.

It has been widely thought, and now since proven, that doing so would spark the ire of Russian law enforcement, leading many malware authors to exclude .ru domains and computers set to use the Russian language.

Malwarebytes lead intelligence analyst Jérôme Segura first reported the demise of Angler in June, telling your correspondent at the time that Angler was at its peak in terms of distribution and sophistication.

Links between Lurk and Angler. Image: Cisco Talos.

Links between Lurk and Angler. Image: Cisco Talos.

Links between Lurk and Angler. Image: Cisco Talos.

"Very little is known about what exactly happened with Angler although there is an interesting timing with law enforcement actions such as the Lurk trojan," Segura told The Register.

"Angler had a huge lead in terms of quality and freshness of exploits which the others lack."

Kaspersky's head of investigation Ruslan Stoyanov, who served for six years as a cyber crime investigator for Moscow, reckons Angler went down with Lurk.

"While investigating the activity of the Lurk group, we found a number of technical clues that indicate that members of the group developed and supported the Angler exploit kit," he says in an email. "We discovered that the IT infrastructure behind Angler was tightly connected to the one behind the Lurk botnet which was used for financial attacks."

Stoyanov suggests Angler was a side business for Lurk, in which the owners would rent it out to other crime groups resulting in it infecting users with a scattering of malware variants.

Dmitry Fedotov

Dmitry Fedotov at the time of his arrest.

Cyphort malware investigator Nick Bilogorskiy also sees the timing of the Lurk arrests as a likely explanation for the exploit kit demise. "It was rising steadily throughout 2015 and 2016 and then abruptly stopped in June," Bilogorskiy said in a streamed security conference on exploit kits last month. "A theory is that all these arrests either touched the Angler group or scared them into pausing [their operations] … but it is all speculation and no one knows for sure why Angler is out."

There is still no word from Moscow on the fate of Angler, yet the silence still speaks; federal law enforcement agencies, including those from Moscow, are usually eager to parade cyber criminals in front of press and yet the possible arrest of the world's most damaging hackers has gone unreported.

Calmer waters

Angler rose to prominence in the vacuum created by the 2013 arrest of Dmitry Fedotov, the author of the infamous Black Hole exploit kit.

Neutrino has likewise filled the void to dominate the 70-strong exploit kit market, quickly doubling its monthly asking price from US$3500 to US$7000.

Bilogorskiy has found web domains previously serving Angler have stayed online and switched to pump Neutrino. The exploit kit and rivals have rushed to adopt new vulnerabilities and are involved in significant malvertising and ransomware campaigns.

Yet Segura says the exploit kit landscape remains in "a strange state" with curious activity patterns as black hats jostle in the shadow of Angler.

"Since the loss of Angler, the other exploit kits have not really filled the gap with sophisticated exploits and payload delivery mechanisms," Segura says. "Even the malware campaigns have slowed down, which is rather puzzling. It could very well simply be a lull and I wouldn't be surprised if another exploit kit came around to take the lead." ®

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022