Security Experts:

Angler Exploit Kit Uses Domain Shadowing to Evade Detection

The notorious Angler exploit kit has started leveraging a new technique to ensure that its malicious activities are not interrupted when the domains it uses are blacklisted, researchers at Cisco revealed on Tuesday.

The Angler exploit kit has made numerous headlines over the past few months after cybercriminals integrated Adobe Flash Player zero-days and Internet Explorer exploits. Experts believe Angler is currently one of the most sophisticated and widely used exploits kits.

The new technique spotted by Cisco, dubbed “domain shadowing,” involves compromised domain registration accounts. The attackers hijack these accounts, usually through phishing, and they use them to create subdomains.

Researchers have identified hundreds of compromised domain registration accounts that give cybercriminals access to several thousand domains. On these domains, the attackers have created roughly 10,000 unique subdomains, which they have been using to redirect victims to the exploit kit landing pages, and to host the actual landing pages and exploits.

In the campaign observed by Cisco, which has been running since late December, the cybercrooks quickly rotate both the subdomains and their IP addresses. This makes it more difficult to blacklist the subdomains and IP addresses, and it gives researchers only a short timeframe to analyze the exploits.

Hijacking domain registration accounts can be highly lucrative. On one hand, the attackers create a large number of disposable subdomains that they can use in their operations. In this case, Cisco has determined that only a third of the compromised domains have been utilized so far, which means the cybercriminals still have plenty to work with in the future.

On the other hand, website administrators usually check their domain registration accounts only when they renew the domain, so chances are that the attackers will be able to create as many subdomains as they like without being detected.

In this case, a majority of the compromised accounts belong to GoDaddy customers. This isn’t surprising considering that the company is the world’s largest registrar, with 59 million domains names under its management. As Cisco has pointed out, a phishing campaign targeted at GoDaddy customers is likely to generate a large number of victims.

The Angler EK attacks start with a malicious ad that’s designed to redirect victims to an attacker-controlled webpage hosted on the first tier of subdomains. From these subdomains, users are redirected to the exploit kit landing pages hosted on the second tier of subdomains.

According to Cisco, some of the subdomains are only active for a few minutes before they are replaced. It’s also worth noting that there are five times more exploit subdomains than redirection subdomains.

A common technique used by cybercriminals to evade IP address detection and blacklisting is called “fast flux.” When this technique is used, the IP addresses associated with a domain or DNS entry are rotated quickly. When domain shadowing is utilized, subdomains associated with a single domain are rotated. The subdomains can point to a single IP or a group of IP addresses, Cisco noted.

“Domain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that threat actors have used to date. The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns. This makes blocking increasingly difficult,” Cisco threat researcher Nick Biasini explained in a blog post.

“Finally, it has also hindered research. It has become progressively more difficult to get active samples from an exploit kit landing page that is active for less than an hour. This helps increase the attack window for threat actors since researchers have to increase the level of effort to gather and analyze the samples,” Biasini added.

Blacklisting is ineffective against such attacks and the malware samples are often not detected by signature-based antiviruses because they are morphed frequently. According to Cisco, the best way to detect and block these threats is by using next-generation intrusion prevention systems (NGIPS) and advanced heuristic-based malware detection solutions.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.