Angler EK Makes It Difficult to Track Down Malvertising Sources

The developers of the Angler exploit kit are trying to make it more difficult for researchers and advertising networks to track down the sources of a malvertising campaign.

According to Yonathan Klijnsma, an expert who specializes in malware research and reverse engineering, the Angler exploit kit now breaks the referer chain, which plays an important part when it comes to disrupting malvertising operations.

When users click on a link to access a webpage, a request is made to that new webpage. The HTTP referer is a header field in the request containing the address of the webpage the user was on before clicking on the link.

In malvertising campaigns, cybercriminals inject malicious ads into legitimate advertising networks in an effort to take users to pages hosting exploit kits. These exploit kits are designed to leverage vulnerabilities in various applications (e.g. Flash Player, Java, Silverlight) in order to push malware onto users’ computers.

The victims of malvertising attacks are taken from the website hosting the malicious ad to the exploit kit landing page through a series of redirections. This is why referers are highly useful for going through the redirection chain and tracking down the source of the malicious ad.

However, Klijnsma discovered that the Angler exploit kit uses some clever tricks to break the referer chain and make it more difficult to track down the source. The expert told SecurityWeek that the new technique is used in most, if not all, current Angler malvertising campaigns.

One of the attacks analyzed by the researcher starts with malicious ads served on a website hosting adult content. These types of sites are often targeted in malvertising campaigns. Last week, Malwarebytes reported spotting a campaign involving dozens of popular adult websites.

During his research, Klijnsma found that there were no referers on either the exploit kit redirector or the landing page. The expert says the attackers achieve this goal by using a 2-step system which leverages web browser bugs.

Ensuring that the redirection page doesn’t have a referer involves adding a new DIV element on the page.

“Inside this DIV [the attacker] puts an iframe which does not have a ‘src’ attribute meaning it is not loading anything from a remote site. However most browsers see the context/body of the iframe (and normally the page it loads based on the ‘src’ attribute) as a separate page with its own context; this is pretty much how the Angler referer-less request(s) trick works,” Klijnsma explained in a blog post. “In the next step they generate a form with a hidden input. This form is put in the body of the iframe context after which they submit the form. When they submit the form they are sending it from within the iframe context which does not have an actual page loaded which causes the request coming from it to not have a referer; quite a nasty trick.”

The expert has created a proof-of-concept (PoC) to show how pages can be requested without referers in the latest versions of Internet Explorer, Chrome, and Firefox.

As for the lack of referers on the landing page, the researcher says he isn’t 100% certain about how the malicious actors are doing it, but he believes it has something to do with how the browsers process the request.

“When a browser performs a POST request […] the response is (in most cases) some external resource being loaded in the page. In the case of the redirector we see the response is HTML which contains a meta refresh tag which changed the page location to the specified URL. My guess is that the browser follows the refresh but due to a bug doesn’t follow it with a referer,” Klijnsma said.

The researcher has developed a PoC for this technique as well, but it only works on Internet Explorer. Web browser vendors have been made aware of the referer issue described by Klijnsma.

By breaking the referer chain, malicious actors ensure that it’s more difficult for automated systems and researchers to track the malvertising campaigns. If browser vendors address the issue, more automated reporting will be possible, the expert noted.

“Currently tracking these Angler redirects down is really hard, and manual work just based on URL logs,” Klijnsma told SecurityWeek.