Angler Exploit Kit phishing Kit has infected more than 90,000 websites

Angler Exploit Kit phishing Kit has infected more than 90,000 websites

Recently, analysis reports from Palo Alto Networks show that the continuous infection of Angler Exploit Kit has resulted in more than 90000 websites being cracked, and most websites are listed in Alexa (the world ranking of websites) among the top 100,000.
Encyclopedia
Angler Exploit Kit (EK) is a phishing attack toolkit with high obfuscation and reconnaissance features (it contains code that tries to detect antivirus software and virtual machines) anti-reconnaissance (it encrypts the Payload transmitted over the network to bypass IDS/IPS detection, and uses "Fileless infections" and other technologies to circumvent anti-virus software detection ), at the same time, the exploitation code of the latest vulnerabilities is updated quickly, and even the 0day exploitation code is displayed.
Main findings
1. More than 90 thousand websites have been detected to be affected by the Angler tool. Including a large number of popular websites. We estimated the monthly access volume of 30 websites based on TrafficEstimate.com, and found that the monthly access volume is at least 11 million.
2. During the analysis, a highly organized intrusion operation is found. Attackers regularly update malicious information on the compromised website. This means that attackers can perform complex and persistent command control on the compromised websites.
3. fine-grained permission control (indicating the instance level, that is, the instance of the specific object needs to be considered) is found during the promotion of malicious content. This means that the injection script can be hidden for several days to avoid security software detection. The attacked website can only attack target users within a specific IP address range, in addition, only specific configuration methods can be used. For scanning tools such as VirusTotal (TV), the detection rate is greatly reduced. Weeks after we first discovered these results, most of the websites we found were still not listed as malicious websites by VT.
4. There is a potential connection between website vulnerability scanning and the use of the website to be scanned as the EK entry. This means that there is a huge hacker industry chain behind such EK.
Process introduction and impact
These websites are infiltrated, which means that 29,531 independent IP addresses are affected. Among them, 1457 IP addresses correspond to more than 10 intruded domain names. For example, a server with an IP address of 184.168.47.225 hosts 422 infected websites. For example, most of the infiltrated websites are in the United States, and a small part of the websites are in Europe and Asia. Most of these website systems in the United States use the basic services provided by GoDaddy. Of course, some websites use services provided by other service providers.

Figure 1 ISP distribution of intruded hosts

Figure 2 intrusion into the regional IP address distribution
Most websites are not detected by VT during intrusion. Security Experts use VT to check the 5,235 websites that have been identified as infected. Only 226 websites are affected. The results show that the VT detection rate is less than 5%.

Figure 3 intrusion topology of Angler EK
When a victim accesses the list of compromised WordPress/Apache hosts, the victim is redirected directly or indirectly (by the middle layer known as the "EK Gate") to a malicious server with EK. There are many types of malicious loads, such as ransomware (Cryptowall), or malware or botnets connecting to the C2 server.

Figure 4 redirection Link (the red part is the same domain, and the blue part is cross-domain)

Figure 5 Fiddler packets captured during redirection
Six shows how to use Fiddler to obtain infection data. In this operation, the infected virtual machine sends a message similar to the C2 request and receives a long and encrypted Response Message.

Figure 6 getting infection data
Conclusion
Modern vulnerability exploitation tools become increasingly difficult to detect because these EK tools will try to avoid detection by security researchers at the beginning of their design. Angler EK also has the following features:
1. It uses the malicious JavaScript code family and iframe Injection Technology for targeted use.
2. It constantly upgrades and evolves injection scripts to avoid security personnel detection.
3. Attackers can use this tool for continuous tracking and control.
4. It will continuously infect the website, and the number of intruded websites increases steadily every day.
In addition, restrictions on such tools are also found:
1. The redirection script keeps changing, but the redirection link remains unchanged. The fixed mode infected by EK is for WordPress-driven websites and download flash files.
2. Attackers can easily exploit known vulnerabilities in WordPress and DNS configuration defects. However, it is relatively difficult to modify the server hosting the EK tool, attackers cannot configure real EK files on infected machines.
Attackers exploit these modern vulnerabilities to launch attacks. Security researchers should keep an eye on such incidents and deploy solutions as soon as possible to protect website users.