The Angler
Exploit Kit is a very powerful and advanced exploit kits used by hackers.
This kit is considered more powerful Blackhole exploit kit by many
information security and ethical hacking training experts as it has caused
bigger number of infection.
Why
angler exploit kit is powerful and dangerous
1.
Angler exploit kit uses a different zero-day exploits to exploit browser
plugins like Java, Adobe Flash and Microsoft Silverlight.
2.
Angler uses the drive-by download technique to drop the malware/payload
depending upon the vulnerability in the machine. Also known as fileless
infection (memory injection), the exploit runs in RAM. The code is injected
into some running process, such as iexplore.exe or javaw.exe, which is then
used for the exploit. Because the exploit code doesn't exist as a file, it
cannot be detected via intrusion prevention systems and antivirus programs. The
payload is usually a program called a dropper whose purpose is to download and
install one or more malware programs.
3.
The payloads used in the kit include banking Trojans like Zeus or Citadel,
ransomware such as Cryptolocker, Bedep marketing malware and keylogging
software.
4.
Angler also uses new technique known as “Domain Shadowing” which is an
evolution in then cybercrime mentions security experts from International
Institute of cyber security. Even though, domain shadowing was used before in
2011, in this technique Angler Exploit Kit uses legal hacked domains to create
subdomains and distribute malware. Domain shadowing uses compromised registrant
credentials and is very difficult to stop. It is also very difficult to track
down the cybercriminals behind these attacks because the compromised accounts
are selected at random. Thus bad URL or a URL blacklist doesn’t work here to
protect against the attack.
5.
Angler Kit changes hash and payloads by using level of page redirections before
reaching the final exploit page so that the security products cannot detect it.
It uses 302 Cushioning, or a 'cushion attack', to redirect victims to malicious
sites without the use of techniques, such as hidden iframes or external script
tags.
6.
Compromised web servers hosting the exploit kit-landing page can be visited
only once from an IP and the hackers are actively monitoring the servers. So
that reverse engineering is difficult as per malware reverse engineering and ethical hacking
course expert from Mexico, Mike Stevens.
7.
It can detect virtual machines and security products in victim system and
decide not to run the exploit. So that antivirus company can’t do the reverse
engineering of the exploit kit.
8. Angler exploit kit uses encryption and web page
obfuscation and decryption of payload at victim machine.
How
Angler Exploit Kit works
1.
Victim accesses a webpage and receives an advertisement pop up. This ad is
webpage of compromised web server.
2.
This compromised web server web page redirects to an intermediate server. So
that IDS/IPS cannot detect the malware.
3.
Intermediate server redirects to a hacker web server hosting the angler exploit
kit’s landing webpage.
4.
Angler exploit kit page checks for the presence of vulnerable browser plug-ins
(Java, Flash, and Silverlight) and their version information. Also it checks
for virtual machine and security software like malware reverse engineering
software.
5.
If security software is found then the exploit just gives the java script
error.
6.
When a vulnerable browser or plug-ins is found with no security software, the
exploit kit delivers the proper encrypted payload and which is decrypted in RAM
and code in injected into some running process, such as iexplore.exe or
javaw.exe, which is then exploited to get a persistent access to the machine
mentioned information
security training expert, Jim Taylor.
Source: http://noticiasseguridad.com/importantes/como-funciona-muy-poderoso-y-peligroso-angler-exploit-kit/
0 comments:
Post a Comment