Surge in Angler Exploit Kit, 90000 Websites Compromised

Angular Exploit Kit

As a new years resolution, hackers seem to have up the ante in cyber attacks using exploit kits. Security researchers have found increased activity in the use of exploit kits to hijack user activity. As many as 90000 sites have been confirmed to be affected by the Angler exploit kit. These campaigns focus on using blackhat SEO poisoning to divert search results to infected websites.

Exploit kits are malicious software used by cybercriminals to exploit vulnerabilities in the system. The goal is to create a backdoor so the bad actors can execute arbitrary code. So far the most proliferate exploits kits used since the beginning of this year. Have been Angler, Neutrino, and RIG. Having stood out among them due to its scope is the Angler Exploit Kit.

Increase of usage of Angler Exploit Kit. Source:

Increase in usage of Angler Exploit Kit. Source:

Angler is an exploit kit that has been known for its aggressiveness and ability to be undetected by security software. Researchers at Palo Alto Networks detected over 90000 compromised websites that have been infected with Angler. 30 of these compromised sites rank in Alexa’s top 100,000 sites. The exploit is available in the underground internet market as a “malware-as-a-service”. Its proliferation this year is due in part to its efficiency as an exploit and its user-friendly interface for the average user.

The way Angler works is by infecting a website with the exploit that will then redirect visiting users to domains that will inject the malware. The more popular the site, the higher the rate of infection for the malware. Once a user visits the website, the malware will attempt to redirect the user to the domain containing Angler. So far Angler has three ways to create a redirection; by HTTP POST, domain generating algorithms, and HTTP redirects.

Graphical representation of Angler Exploit. Source:

Graphical representation of Angler Exploit. Source:

Once redirected, the user will arrive at the website containing the exploit, or landing page. The site provides multiple layers of obfuscation to disguise the malware and make analysis difficult. Security researchers at Sophos prepared a detailed technical article dissecting the code behind the exploit kit. The malware is coded in JavaScript and HTML and takes advantage of vulnerabilities in older versions of flash player or Internet Explorer. The malware will then begin installing malicious software. The payload of the exploit varies, but more than 50 percent of payloads analysed consist of ransomware.

Different types of malware installed by Angler. Source:

Different types of malware installed by Angler. Source:

The usage of exploit kits has risen by 75 percent since last year; Angler is just the tip of the spear. However, this exploit can infect a broad range of users due to its number of infected sites and its ability to remain undetected. The fact that this exploit has compromised 30 of Alexa’s top sites makes it all the more problematic.

Leave a Reply

Your email address will not be published. Required fields are marked *