External Threat Management

Angler Exploit Kit Detected on High Profile Websites

On May 28th, RiskIQ detected a malvertising (malicious advertising) campaign on several high profile websites (ranked within the top 2,000 websites globally), including the popular humor site eBaum's World. This particular campaign utilized a drive-by download to exploit several different versions of software, including Flash, Silverlight, and Java. In this particular case, the malicious ads were served by AppNexus, but this campaign has been seen in several other ad networks as well.

In this example, a user browsing a cat playing Jenga on eBaum's World would have been delivered an advertisement that contained a drive by exploit through the advertisement. This example is illustrated below. The exploit kit that was utilized in the drive-by malware was Angler Exploit Kit, which has been gaining traction since Blackhole Exploit kit has started to lose criminal users. The migration of this user base is related to the arrest of "Paunch" last October. Predictions of hackers moving to different exploit kits have proven to be true, and Angler seems to be filling the void left by Blackhole.

Angler malware on eBaum

As recently as November of last year, Angler authors integrated Silverlight exploits, which is particularly troubling since Netflix requires the Silverlight plugin to stream video on PC browsers. This provides a large user base to target and while it is not as widely deployed as the Adobe Flash plugin, it is estimated that the majority of internet users have this plugin installed.

Angler gets its name from early advertisements in underground forums posted by the presumed author of the exploit kit. The initial ads for buying traffic displayed an anglerfish graphic, leading to the name. Over the last six months, this exploit kit has been under active development, evolving the URL pattern obfuscation and expanding of the number of exploits that are included in the kit.

Due to the way that RiskIQ browses the Internet as a user would, we easily detected and identified the exploit kits that were served from both advertisements and compromised websites. Over the last week with Angler we have seen roughly ten percent of the sites use advertisements to distribute. Of that ten percent, seventy percent were from AppNexus. This statistic translates to hundreds of instances of Angler in our system, and we continue to see a steady rise in its use.

- James Pleger, Director of Research

Back to RiskIQ Blog

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor