Angler Exploit Kit

First observed in 2013, Angler was an exploit kit responsible for delivering other high-profile malware including Andromeda, Cryptowall, Ursnif and Vawtrak. It was involved in over 40% of all exploit kit attacks at one point.

Threat ID:: CC-2013
Category:
Threat Severity:: Low
Threat Vector:: Exploit kit
Published:: 9 February 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Its creators were arrested in 2016, upon which operations using it effectively ceased.

Angler was delivered using watering hole attacks. Websites were compromised to gain access to the server running them. Once this was done, a domain generation algorithm was used to produce large amounts of subdomains, each containing Angler. Computer-generated landing pages were then created for the domains in order for them to appear as legitimate sites. This whole process was automated, allowing Angler’s operators to avoid detection whilst still effectively distributing the kit.

Alongside this, Angler used extensive code obfuscation and several anti-analysis features. System information on a variety of security and virtualisation products was collected using Internet Explorer, with deployment stopped if any were detected on a device. Angler’s main scripting function was stored as encrypted HTML data strings, which was then retrieved when the domain landing page is loaded and evading emulation layers. Payloads carried by Angler were also further encrypted.

Remediation advice

To prevent and detect an infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments, follow links within unsolicited emails, or follow suspicious links on web pages. All operating systems, web browsers, antivirus and other security products are kept up to date. Browser plugins such as Flash and Silverlight are kept up to date, or removed if they are not required. All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security. Identifying the source of infection: Identifying the infected machine and unplugging / disconnecting or quarantining it from the network is essential to damage limitation. Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down. File auditing should be enabled and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected PC).

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments, follow links within unsolicited emails, or follow suspicious links on web pages.
All operating systems, web browsers, antivirus and other security products are kept up to date.
Browser plugins such as Flash and Silverlight are kept up to date, or removed if they are not required.
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Identifying the source of infection:
Identifying the infected machine and unplugging / disconnecting or quarantining it from the network is essential to damage limitation.

Users should immediately report infections to their IT support provider, disconnect their network cable and power the computer down.
File auditing should be enabled and file server logs should be monitored to detect signs of unauthorised encryption and allow the source of encryption to be identified (i.e. the infected PC).

Last edited: 11 January 2022 9:27 am