Threat spotlight: Angler lurking in the domain shadows
(Publication) Google search: [1]
| Threat spotlight: Angler lurking in the domain shadows | |
|---|---|
| Botnet | |
| Malware | |
| Botnet/malware group | |
| Exploit kits | Angler |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2015 / 2015-03-05 |
| Editor/Conference | CISCO |
| Link | http://blogs.cisco.com/security/talos/angler-domain-shadowing (Archive copy) |
| Author | Nick Biasini, Joel Esler |
| Type | |
Abstract
“ Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various malicious payloads.
The use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During this research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014. Since December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach. This behavior has been covered before which discussed some of the older campaigns as well as the hosting indicators (ASN) of the groups making use of the subdomains.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2015BFR1536,
editor = {CISCO},
author = {Nick Biasini, Joel Esler},
title = {Threat spotlight: Angler lurking in the domain shadows},
date = {05},
month = Mar,
year = {2015},
howpublished = {\url{http://blogs.cisco.com/security/talos/angler-domain-shadowing}},
}