Angler exploit kit and domain shadowing: A deadly combination
Attackers wielding the infamous Angler exploit kit are increasingly using hijacked registrant accounts to create huge amounts of subdomains for both redirecting victims and the destination pages hosting the exploit kit.
The subdomains are created, used and abandoned in a matter of hours and even minutes, making it difficult for security researchers to detect and analyze new exploits, which are added to Angler quickly and effectively.
The researchers dubbed this new tactic “Domain Shadowing.”
“This is an increasingly effective attack vector since most individuals don’t monitor their domain registrant accounts regularly,” Cisco Talos Group researchers noted and explained: “These accounts are typically compromised through phishing. The threat actor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple domains this can provide a nearly endless supply of domains.”
The researchers had discovered several hundred compromised registrant accounts, which control thousands of unique domains. No new domains have been registered by the criminals.
According to the research, most of the compromised domains are held by Go Daddy. But it’s interesting to note that the attackers have yet to create subdomains on two thirds of the domains run via compromised accounts, which means that they are probably saving them for later attacks.
The domain shadowing technique dates back to 2011, but this latest campaign, first detected in December 2014 and focused around the Angler Exploit Kit, is when the criminals started using it on this large a scale.
“The amount of subdomains being utilized for landing pages and exploits are greater than those used for redirection, by a factor of five,” the researchers shared. “This could be related to the chain of events leading to compromise. The user browses to a web page that is hosting a malicious ad. The malicious ad redirects the user to the first tier of subdomains (commonly referred to as a “gate”). This page then redirects to the actual landing page serving exploits. This final page is being rotated at a rapid pace. Some of the subdomains are only active for a matter of minutes and only are reached a couple of times.”
Domain shadowing is extremely effective, and it’s difficult to stop.”This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses. Additionally, these subdomains are being rotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and analysis.”
In this latest campaign, the Angler kit attempts to exploit several Microsoft Silverlight and Adobe Flash vulnerabilities, one of which was a 0-day.
“At this point its more a question of ‘when’ Angler will affect you instead of ‘if’. If you are relying exclusively on blacklisting technologies, this threat is designed to beat it,” the researchers noted. “Utilizing multiple products with different inspection engines can help ensure the most comprehensive coverage before, during, and after the attack.”