Threat spotlight: Angler lurking in the domain shadows

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Threat spotlight: Angler lurking in the domain shadows
Botnet
Malware
Botnet/malware group
Exploit kits Angler
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2015 / 2015-03-05
Editor/Conference CISCO
Link http://blogs.cisco.com/security/talos/angler-domain-shadowing (Archive copy)
Author Nick Biasini, Joel Esler
Type

Abstract

Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various malicious payloads.

The use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During this research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014. Since December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach. This behavior has been covered before which discussed some of the older campaigns as well as the hosting indicators (ASN) of the groups making use of the subdomains.

Bibtex

 @misc{Biasini2015BFR1536,
   editor = {CISCO},
   author = {Nick Biasini, Joel Esler},
   title = {Threat spotlight: Angler lurking in the domain shadows},
   date = {05},
   month = Mar,
   year = {2015},
   howpublished = {\url{http://blogs.cisco.com/security/talos/angler-domain-shadowing}},
 }