Difficult to Detect Exploit Kit

Monday, March 9, 2015 @ 05:03 PM gHale

Attackers employing the Angler exploit kit are using hijacked registrant accounts to create subdomains for redirecting victims and the destination pages hosting the exploit kit.

The subdomains end up created, used and abandoned in a matter of hours and even minutes, making it difficult to detect and analyze new exploits, which add into Angler quickly and effectively.

FREAK Affects All Windows Versions
FREAK can Force MitM Attack
IE Hole Allows Attackers to Phish
Adobe Flash Zero Day in Exploit Kit

The researchers call this new tactic “Domain Shadowing.”

“This is an increasingly effective attack vector since most individuals don’t monitor their domain registrant accounts regularly,” said Cisco Talos Group researchers. “These accounts are typically compromised through phishing. The threat actor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple domains this can provide a nearly endless supply of domains.”

The researchers discovered several hundred compromised registrant accounts, which control thousands of unique domains. The attackers did not register any new domains.

According to the research, most of the compromised domains are via Go Daddy. Having said that, the attackers have yet to create subdomains on two thirds of the domains run via compromised accounts, which means they are probably saving them for later attacks.

The domain shadowing technique dates back to 2011, but this latest campaign, first detected this past December, focused around the Angler Exploit Kit which is when the criminals started using it on this large a scale.

“The amount of subdomains being utilized for landing pages and exploits are greater than those used for redirection, by a factor of five,” the researchers said. “This could be related to the chain of events leading to compromise. The user browses to a web page that is hosting a malicious ad. The malicious ad redirects the user to the first tier of subdomains (commonly referred to as a ‘gate’). This page then redirects to the actual landing page serving exploits. This final page is being rotated at a rapid pace. Some of the subdomains are only active for a matter of minutes and only are reached a couple of times.”

Domain shadowing is extremely effective, and it’s difficult to stop.

“This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses,” the researchers said. “Additionally, these subdomains are being rotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and analysis.”

In this latest campaign, the Angler kit attempts to exploit several Microsoft Silverlight and Adobe Flash vulnerabilities, one of which was a Zero Day.

Leave a Reply

You must be logged in to post a comment.