Cisco Blogs

Cisco Blog > Security

Angler for Beginners in 34 Seconds

Post authored by Martin Rehak, Veronica Valeros, Martin Grill and Ivan Nikolaev.

In order to complement the comprehensive information about the Angler exploit kit from our Talos colleagues [Talos Intel: Angler Exposed], let’s have a very brief look at what an Angler and CryptoWall infection looks like from the network perspective. We will present one of the recent Angler incidents discovered by Cognitive Threat Analytics (CTA).

Cognitive Threat Analytics works after the attack. It sifts through the logs produced by the client’s web proxy for any malware that may have slipped through the perimeter defences, such as this specific case here. CTA was able to observe the attack in its entirety (including the phases where the perimeter defence successfully blocked several stages in the attacker’s plan) and notify the security team immediately for follow-up and investigation.

So, how does an incident start for the analyst?


We can see that the incident has been categorised as an Exploit Kit infection. The system asserts 95% confidence in this incident being a true positive, and classifies it on the level 8 (out of 10) on the risk scale.

Read More »

Tags: , , , , ,

Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit Generating $60M Annually From Ransomware Alone

This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.

Executive Summary

Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit.  Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually.  This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.

Cisco then took action:

  • Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
  • Released Snort rules to detect and block checks from the health checks
  • All rules are being released to the community through  Snort
  • Publishing communications mechanisms including protocols so others can protect themselves and customers.
  • Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers

This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.

Watch Angler compromise a box and install ransomware at the end of the video.

Read More »

Tags: , , ,

Angler EK: More Obfuscation, Fake Extensions, and Other Nonsense

This post was authored by Nick Biasini

Late last week Talos researchers noticed a drastic uptick in Angler Exploit Kit activity. We have covered Angler previously, such as the discussion of domain shadowing. This exploit kit evolves on an almost constant basis. However, the recent activity caught our attention due to  a change to the URL structure of the landing pages. This type of change doesn’t occur often and was coupled with some other interesting tidbits including how the HTTP 302 cushioning has evolved and the payload of another ransomware has changed.

During research Talos identified several active Angler campaigns delivering different payloads via different methods.  The first campaign was delivering Cryptowall, which will be covered in detail here. The second delivered Bedep with click fraud and illustrates the variety with which Angler can be used to deliver different payloads.  The details of Bedep with click fraud has been covered thoroughly and will not be specifically discussed in this article.

Read More »

Tags: , , , ,

Threat Spotlight: Angler Lurking in the Domain Shadows

This post was authored by Nick Biasini and edited by Joel Esler


Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various malicious payloads.

The use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During this research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014. Since December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach. This behavior has been covered before which discussed some of the older campaigns as well as the hosting indicators (ASN) of the groups making use of the subdomains.

Read More »

Tags: , , , ,

Angler Exploit Kit – New Variants

This post was authored by Nick Biasini

On January 27th,  Talos researchers began observing a new Angler Exploit Kit (EK) campaign using new variants associated with (CVE-2015-0311). Based on our telemetry data the campaign lasted from January 26th until January 30th with the majority of the events occurring on January 28th & 29th.


Read More »

Tags: , , , ,