Angler EK Malverts Expose US Users

A large scale Angler Exploit Kit malvertising campaign has been spotted by security experts, affecting multiple top tier sites and exposing tens of thousands of netizens in the US to the risk of infection.

Major news sites, entertainment portals and political commentary sites are said to have been unwittingly hosting the malicious ads.

“Based on my analysis, once a user visits a page that loads the malicious ad, the said ad automatically redirects to two malvertising servers, the second of which delivers the Angler Exploit kit,” explained Trend Micro fraud researcher, Joseph Chen, in a blog post.

“As of this writing, the exploit kit proceeds to download a BEDEP variant, which, in turn drops a malware we will detect as TROJ_AVRECON.”

Although the trojan in question is given an overall ‘low’ risk rating, its damage potential is ranked as ‘medium,’ according to Trend Micro.

The malvertising outbreak could be linked to a reported recent update to Angler EK last week, which saw its creators add a Microsoft Edge on Windows 10 Adobe Flash exploit (CVE-2015-7645).

While Trend Micro observed activity on the notorious exploit kit dropping to 3,000 infections by 12 March, that jumped to 18,000 the following day, no doubt driven by the malvertising campaign.

Angler dominated as the leading exploit kit in 2015, according to the security vendor’s end-of-year round-up report, accounting for 57% of exploit-linked URLs accessed.

Its success lies in its ability to easily add in new exploits, according to experts.

In this way, it was updated to include a Flash zero-day that was part of the Hacking Team leak in July, then four months later it included a Flash exploit used in the Pawn Storm campaign.

The EK has been used frequently in malvertising attacks leading to ransomware.

However, there could be light at the end of the tunnel, according to F-Secure.

The firm argued in its own 2015 threat report last week that EKs like Angler could be marginalized by as soon as 2017 if major browsers effectively ban Flash, as they look like they may.

What’s Hot on Infosecurity Magazine?