Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Did Angler Exploit Kit Die With Russian Lurk Arrests?

Researchers have recently noted a large scale switch from the Angler exploit kit (EK) to the Neutrino exploit kit. Last Wednesday SANS ISC noted that CryptXXX ransomware was now being delivered by the Neutrino EK. “Until then, I’d only seen Angler EK distribute CryptXXX,” reported Brad Duncan.

Researchers have recently noted a large scale switch from the Angler exploit kit (EK) to the Neutrino exploit kit. Last Wednesday SANS ISC noted that CryptXXX ransomware was now being delivered by the Neutrino EK. “Until then, I’d only seen Angler EK distribute CryptXXX,” reported Brad Duncan.

On Friday Malwarebytes reported that malvertising campaigns it had earlier described as using fingerprinting to evade detection “are still going on but rather than using Angler EK to infect victims, we see the Neutrino exploit kit instead.”

Angler first appeared in late 2013. By spring 2014 it had equaled the currently most popular EK, Nuclear; and by late 2014 it had become the most popular EK in use. By spring of last year it represented 82% of all EK activity (figures from Sophos). At that point, Neutrino activity was barely visible.

Chart of Angler Exploit Kit Activity

(Image Credit: F-Secure)

This has reversed, with Angler no longer prevalent – nor even visible, and Neutrino dominant. While criminal switching between exploit kits is not unknown, this seems to be different. 

French researcher Kafeine has seen the same. Angler, he notes, “has totally vanished on June 7th.” One possibility was that the Angler gang were taking their annual vacation – seriously, organized crime is that organized these days. But an ongoing malvertising campaign from SadClowns had switched to Neutrino. And confirmation came when he also saw the CryptXXX switch to Neutrino. The CryptXXX actors had used Angler exclusively, and had even synchronized their own vacation with Angler’s January timeline.

The question is whether this is a temporary blip or a permanent demise. It is similar to the sudden decline of the Blackhole EK in 2013. Like Angler, Blackhole had been the exploit kit of choice among cyber criminals. But following the arrest of its author, Dmitry Fedotov aka Paunch, in late 2013, its usage plummeted. (Fedotov was sentenced to seven years in prison by a Russian court earlier this year.)

The similarity Blackhole and Angler has prompted researchers to wonder if the Angler gang have also been arrested. Indeed, one security industry source told SecurityWeek he had heard of imminent likely action against the gang, but had no further details. More specifically, however, researchers are looking at the recent 50 arrests in Russia that were publicly associated with users of the Lurk malware within the last two weeks.

Advertisement. Scroll to continue reading.

There is certainly a link between Lurk and Angler. Kafeine comments, “With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the ‘Indexm’ variant of Angler between 2012 and beginning of 2016…we might think there is a connection and that some actors are stepping back.”

What isn’t clear is whether the Angler gang fear that some among the fifty arrests might implicate them personally and are currently keeping a low profile; or whether the same people are behind both sets of malware. F-Secure security advisor Sean Sullivan told SecurityWeek, Kafeine’s analysis “suggests disruption in Angler’s infrastructure. It wouldn’t be the first time an exploit kit has died due to law enforcement (Blackhole). Hopefully it won’t be the last.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.