Angler Exploit Kit is not going anywhere, it’s here to stay and already compromised 90,000 websites.
The Angler Exploit Kit (AEK) is increasing its influence over the internet and according to an analysis from Palo Alto Networks more than 90,000 websites have been compromised by AEK, out of which 30 are listed among the Alexa top 100,000.
Evidently, the number of monthly visitors to these websites is also quite high, probably over 11 million, as estimated by TrafficEstimate.com.
It is apparently a highly organized operation in which periodic updates of the malicious content takes the place across all the AEK gate sites simultaneously.
Fine-grained control over the malicious content distribution was also identified, which means the infected scripts may stay hidden for days and perhaps evade detection.
Moreover, infected websites can choose to target specific IP ranges and configurations.
This is why the detection rate of AEK is so low since most of the compromised sites weren’t identifiable even after weeks of study and scanning using VirusTotal scanners.
Also, potential connections between the actions of websites vulnerable to scanning and leveraging scanned sites as an entrance point for AEK was identified. This hints at the presence of an industry chain behind AEK operations.
From November 5 to November 16, the abovementioned sources started scanning websites for infections and identified around 90,558 unique domains that were already infected and used by AEK.
The result of compromised domains was in the retrieval of 29,531 unique IPs. 1,457 IPs out of the 29,531, were hosting more than ten compromised domains. For instance, the IP address126.96.36.199 was hosting around 442 compromised sites in total.
Some of these websites were extremely popular since 177 domains were listed in the Alexa top 100,000 while 40 in the top 10,000.
VirusTotal couldn’t detect these compromised websites. Early scanning results with VirusTotal on November 16 revealed that it could only report 226 malicious sites.
After several attempts, the team tested the complete list of 90,558 sites on December 14 and could only manage to identify 2,850 compromised sites.
How Anger Exploit Kit Evades Detection?
How does it work?
When the victim visits any of the infected WordPress/Apache hosts, these immediately redirect the user to the malicious server where AEK is hosted. This may occur via a middle layer called EK gate or directly.
The last malicious payload may vary and can include ransomware like Cryptowall, spyware or botnets, which can link the host to a C&C server. This redirection, that is, from EK gate to the infected file hosting server, may occur within the same domain or cross-domain.