Angler Exploit Kit's newest technique is dubbed "Domain Shadowing" which is considered to hold upwards the adjacent development of online crime. Domain Shadowing, showtime appeared inwards 2011, is the procedure of using users domain registration logins to create subdomains.
WHAT IS DOMAIN SHADOWING ?
With the assist of Domain Shadowing technique used inwards a recent Angler campaign, attackers are stealing domain registrant credentials to create tens of thousands of sub-domains that are used inwards hit-and-run agency attacks inwards social club to either redirect victims to the assault sites, or serve them malicious payloads.
Security researcher Nick Biasini of Cisco’s Talos news squad analysed the motility together with said the "massive" together with ongoing Angler motility targeting Adobe Flash together with Microsoft Silverlight vulnerabilities dramatically shooted upwards inwards the by iii months.
"Domain shadowing using compromised registrant credentials is the around effective, hard to stop, technique that threat actors accept used to date. The accounts are largely random together with thence at that topographic point is no agency to rail which domains volition hold upwards used next," said Nick Biasini.
"Additionally, the subdomains are rattling high volume, brusque lived, together with random, alongside no discernible patterns. This makes blocking increasingly difficult. Finally, it has also hindered research. It has perish progressively to a greater extent than hard to larn active samples from an exploit kit landing page that is active for less than an hour. This helps growth the assault window for threat actors since researchers accept to growth the grade of attempt to assemble together with analyze the samples."
HOW HACKERS MADE information technology ?
In the recent campaign, the cyber criminals are taking payoff of the fact that around of the domain owners practise non regularly monitor their domain registrant accounts, which are typically compromised through phishing attacks. This leverages attackers to create a seemingly endless provide of sub-domains to hold upwards used inwards farther attacks.
H5N1 novel technique called Fast Flux allows hackers to alter the IP address associated alongside a domain to evade detection together with blacklisting techniques. Unlike Domain Shadowing which rotates sub-domains associated alongside a unmarried domain or small-scale grouping of IP addresses, Fast Flux quickly rotates a unmarried domain or DNS entry to a large listing of IP addresses.
GODADDY ACCOUNTS AT RISK
Cisco has establish upwards to 10,000 malicious sub-domains on accounts — around of them linked to GoDaddy customers, although the safety researchers noted that this was non the resultant of whatever information breach, but this is because the GoDaddy controls a tertiary of domains on the Internet.
ATTACK VECTOR
There are multiple tiers to the attack, alongside dissimilar malicious subdomains existence created for dissimilar stages listed below:
- Users are served malicious advertisements on the spider web browser.
- The malicious advertising redirects the user to the showtime tier of subdomains known equally "gate".
- First tier is responsible for the redirection of victims to a landing page that hosts the Angler Exploit Kit serving an Adobe Flash or Microsoft Silverlight exploit.
- This terminal page is existence rotated heavily together with sometimes, those pages are active exclusively for a affair of minutes.
"The same IP is utilized across multiple subdomains for a unmarried domain together with multiple domains from a unmarried domain account," Biasini wrote. "There are also multiple accounts alongside subdomains pointed to the same IP. The addresses are existence rotated periodically alongside novel addresses existence used regularly. Currently to a greater extent than than 75 unique IPs accept been seen utilizing malicious subdomains."
With numerous of evasion techniques, zero-day exploits together with high grade of sophistication, Angler Exploit Kit has elevated equally the to a greater extent than formidable hacker toolkits available inwards the market.
The previous best-selling exploit kit known equally BlackHole was known to hold upwards the unsafe toolkit, but in conclusion yr subsequently the arrest of 'Paunch', the mastermind behind infamous BlackHole exploit kit, the exploit kit disappeared from the market.
