Did Russia Put Angler Out of Business?

Anti-Malware , Fraud , Technology

Commercial Version of Exploit Kit No Longer for Sale Did Russia Put Angler Out of Business?

One of the most potent tools for hacking computers, the Angler exploit kit, effectively disappeared one week ago, and many experts believe that development is connected to a large roundup of suspected cybercriminals in Russia. But Angler isn't necessarily going away; it may just be retrenching.

See Also: The Inconvenient Truth About API Security

Known in underground circles as "XXX," Angler is an exploit kit, which is a server-based framework that quickly scans a computer for browser-related software vulnerabilities and silently delivers malware through web-based attacks.

Exploit kits have dramatically changed the computer security landscape. Engineered by highly skilled cybercriminals, the kits are offered for rent to other hackers who want to spread their malware.

Angler was one of the most-seen exploit kits last year. It cost as much as $5,000 per month to rent and in part was responsible for the prevalence of file-encrypting malware known as ransomware.

Around June 6, however, attacks linked to Angler almost completely vanished. Five days prior, Russia's security agency, the FSB, said it arrested 50 people for allegedly stealing 1.7 billion rubles ($25.5 million) from several Russian financial services firms over a five-year period using the "Lurk" malware (see Russian Police Bust Alleged Bank Malware Gang).

Angler's developers have long been suspected to be operating from Russia or Eastern Europe.

The exploit kit's disappearance "is not coincidental, that's what we think," says Andrei Barysevich, director of Eastern European research and analysis for Flashpoint, a company that specializes in cybercrime intelligence. "At first we have 50 guys arrested in Russia, then within a week, Angler literally disappears."

Just Laying Low?

It appears that Angler's developers have just decided to lay low following the arrests. Andrew Komarov, chief intelligence officer at InfoArmor, says an Angler administrator wrote on an underground forum following the arrests that sales of Angler have been stopped, for now.

The group that was arrested in Russia was apparently one of the biggest customers of Angler, Komarov says. Angler's operators fear law enforcement may lean on those who were arrested to get close to them.

"They simply made the decision to stop sales to prevent infiltration from customers they don't know," Komarov says.

There are two versions of Angler: a private one used for the Angler gang's own operations and a commercial one. Komarov said it's the latter that is temporarily being withdrawn from the market while the group makes technical adjustments to their infrastructure to prevent them from being discovered.

"They're panicking," Komarov says.

At the Top of its Game

Angler's disappearance ironically comes as it had achieved a number-one market position ahead of competitors, including the Neutrino and Nuclear exploit kits.

Part of the reason for Angler's dominance is that its developers have quickly incorporated exploits for zero-day vulnerabilities - often for Adobe's oft-targeted Flash browser plug-in - into its framework. Zero-day vulnerabilities are those that have not been patched by a software vendor, meaning most computers are defenseless against an attack, and Flash's wide install base makes it a natural target.

"We really saw Angler pull out from the back middle of the pack out to the front by the end of the year," says Christopher Budd, global threat communications manager for Trend Micro.

Budd says Angler's complexity and fast development illustrates how security companies are fighting very agile adversaries. "Arguably, there's more professionalization in malware than in startup app development," he says.

Angler was closely held by its creators, Komarov of InfoArmor says. Those who rent it only communicate using encrypted instant messaging, and customers are carefully vetted before a rental deal gets agreed.

Even then, other cybercriminals who rent it do not actually have access to the exploit kit software. Instead, Angler's operators arrange technical access to their own servers that host the kit by providing a configuration file.

A hacker who rents Angler provides a domain name for a compromised website to Angler's operators. If a victim goes to the compromised website, the traffic is then tunneled through various proxies to a server hosting Angler, in order for the exploits to be delivered.

It's a complicated procedure, and one that isn't easy for security experts to untangle. Furthermore, a malware payload - which is what is delivered after an attack, such as ransomware - is often encrypted and won't necessarily be detected at first by security software.

"If you think about it, [Angler] is so turnkey, and it has the ability to really protect itself and protect its backend services," says Wayne Crowder, director of threat intelligence at RiskAnalytics. "It's hard to track, hard to trace. It shows its value. I hate to say that when cybercriminals are doing it."

Angler's use in spreading ransomware has helped make that type of malware one of the biggest threats on the internet. Over the past couple of years, Angler has been used to deliver ransomware variants including CryptoWall, TelsaCrypt, AlphaCrypt and most recently, CryptXXX.

"Anti-virus in general has reasonably poor coverage against Angler," says Craig Williams, security outreach manager at Cisco.

Neutrino Fills the Void

In the absence of the commercial version of Angler, developers of another exploit kit have moved quickly to pick up the slack.

Experts have seen an increase in attacks using Neutrino, also one of the top exploit kits. The security company Malwarebytes has seen several recent large malvertising attacks using Neutrino, writes Jerome Segura, a senior security researcher.

Malvertising is the practice of placing malicious ads with online advertising companies. It's one of the most powerful methods for infecting mass numbers of computers quickly, especially if a high-traffic website displays such an ad. Victims can be infected with malware merely by viewing a malicious ad that is connected to an exploit kit server.

The cost of renting Neutrino has increased following Angler's pullback, says Flashpoint's Barysevich. Neutrino was renting for around $1,500 a month, but that price has spiked in the last few days to $4,000 a month.

"Neutrino is there to take [Angler's] place," he says.