Connect with us

Hi, what are you looking for?


Malware & Threats

Angler Exploit Kit Uses Domain Shadowing to Evade Detection

The notorious Angler exploit kit has started leveraging a new technique to ensure that its malicious activities are not interrupted when the domains it uses are blacklisted, researchers at Cisco revealed on Tuesday.

The notorious Angler exploit kit has started leveraging a new technique to ensure that its malicious activities are not interrupted when the domains it uses are blacklisted, researchers at Cisco revealed on Tuesday.

The Angler exploit kit has made numerous headlines over the past few months after cybercriminals integrated Adobe Flash Player zero-days and Internet Explorer exploits. Experts believe Angler is currently one of the most sophisticated and widely used exploits kits.

The new technique spotted by Cisco, dubbed “domain shadowing,” involves compromised domain registration accounts. The attackers hijack these accounts, usually through phishing, and they use them to create subdomains.

Researchers have identified hundreds of compromised domain registration accounts that give cybercriminals access to several thousand domains. On these domains, the attackers have created roughly 10,000 unique subdomains, which they have been using to redirect victims to the exploit kit landing pages, and to host the actual landing pages and exploits.

In the campaign observed by Cisco, which has been running since late December, the cybercrooks quickly rotate both the subdomains and their IP addresses. This makes it more difficult to blacklist the subdomains and IP addresses, and it gives researchers only a short timeframe to analyze the exploits.

Hijacking domain registration accounts can be highly lucrative. On one hand, the attackers create a large number of disposable subdomains that they can use in their operations. In this case, Cisco has determined that only a third of the compromised domains have been utilized so far, which means the cybercriminals still have plenty to work with in the future.

On the other hand, website administrators usually check their domain registration accounts only when they renew the domain, so chances are that the attackers will be able to create as many subdomains as they like without being detected.

In this case, a majority of the compromised accounts belong to GoDaddy customers. This isn’t surprising considering that the company is the world’s largest registrar, with 59 million domains names under its management. As Cisco has pointed out, a phishing campaign targeted at GoDaddy customers is likely to generate a large number of victims.

Advertisement. Scroll to continue reading.

The Angler EK attacks start with a malicious ad that’s designed to redirect victims to an attacker-controlled webpage hosted on the first tier of subdomains. From these subdomains, users are redirected to the exploit kit landing pages hosted on the second tier of subdomains.

According to Cisco, some of the subdomains are only active for a few minutes before they are replaced. It’s also worth noting that there are five times more exploit subdomains than redirection subdomains.

A common technique used by cybercriminals to evade IP address detection and blacklisting is called “fast flux.” When this technique is used, the IP addresses associated with a domain or DNS entry are rotated quickly. When domain shadowing is utilized, subdomains associated with a single domain are rotated. The subdomains can point to a single IP or a group of IP addresses, Cisco noted.

“Domain shadowing using compromised registrant credentials is the most effective, difficult to stop, technique that threat actors have used to date. The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns. This makes blocking increasingly difficult,” Cisco threat researcher Nick Biasini explained in a blog post.

“Finally, it has also hindered research. It has become progressively more difficult to get active samples from an exploit kit landing page that is active for less than an hour. This helps increase the attack window for threat actors since researchers have to increase the level of effort to gather and analyze the samples,” Biasini added.

Blacklisting is ineffective against such attacks and the malware samples are often not detected by signature-based antiviruses because they are morphed frequently. According to Cisco, the best way to detect and block these threats is by using next-generation intrusion prevention systems (NGIPS) and advanced heuristic-based malware detection solutions.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.