IT security pros are being warned that the Angler Exploit Kit has evolved — again — to more effectively deliver ransomware.
Cisco Systems’ Talos security service said in a blog today that after analyzing a recent major upswing in Angler activity it discovered the URL structure of the kit’s landing pages has changed, the HTTP 302 cushioning has evolved and the payload of the ransomware has changed. Cushioning redirects unsuspecting viewers to a malicious site, with messages like “the document has moved here,” with a hyperlink.
“By adding a varied list of URL extensions Angler authors are creating significantly more variation,” the blog notes. “The reason for the change has everything to do with detection. Most Angler landing page detection is done off of the URL structure and by making this change and adding a list of varying extensions, exploit kit authors bypass a huge amount of the detection technologies. This type of a change would be expected especially if there are other major changes underway. Much the same way that domain shadowing was unveiled at roughly the same time the Adobe Flash 0-day was dropped into this exploit kit.”
This isn’t the first time that the URL has evolved for Angler, the researchers add, which had used simple .php paths before changing to the recent random string of text. The actual content displayed to the user has remained largely static.
Most Angler exploits are delivered by malware, says Cisco [Nadsaq: CSCO], but the new changes mean it can now deliver malicious iframes on compromised websites. After compromising the user with a malicious Flash file or other exploit, the PC receives a variant of the Cryptowall ransomware. This specific variation of Cryptowall uses WordPress sites — possibly hijacked — to store information.  Normally malware will contact several domains for different purposes (i.e C2, Dropped Files, Exfil, etc.), the researchers said.  “This particular sample contacted almost 40 different domains and attempted to post data on 30 different WordPress sites. These posts were made to look like image files being posted and were seen posting to wordpress plugins that have been in the news over the last several months for being exploitable.”
“Exploit kits are always going to evolve to improve efficiencies, increase evasion, maximize ability to compromise users, and create detection and prevention challenges. This is another example of how specifically the Angler Exploit Kit continues to change. This doesn’t always involve using new or novel techniques. In this example the EK went from being distributed via the newer technique of malvertising to reverting to malicious iframes on compromised websites. Also, it seems that a hybrid approach to URL’s has been undertaken by Angler.
“The old usage of .php files has been merged with the more recent randomized string to create a third variant of URL structure. Finally, the removal of domain shadowing for the 302 cushioning and the addition of dynamic DNS instead. This technique may be a relatively new feature to Angler, but has been in use by other exploit kits for some time.”
Security pros need to ensure their detection engines have been updated to keep up with these changes