The Cisco Talos Group has performed in-depth research on the threat actors behind the Angler Exploit Kit, and even had behind-the-scenes access, allowing statistical information as well as Angler’s inner-workings to be examined.
Note that any metrics / statistical information presented throughout this article were determined via the analysis of a data set stemming from a few months earlier; July, 2015.
The Angler EK infrastructure follows what Cisco has determined to be a “proxy/server” configuration. Angler is not simply a single Web Application or just a single, physical server; rather, the Angler architecture includes several different components that both complement each other and provide redundancy.
Exploit Server: The instance examined by Cisco utilized a single “exploit server” that was responsible for actually delivering the malicious traffic through a chain of several proxy servers of varying locations. The exploit server runs on the Linux operating system and leverages the NGINX Web Server.
Proxy Server: The proxy server is the system that directly interacts with the users; while the exploit server contains the payloads, it does not directly interact with the user. Instead, it delivers the payload to the target through several proxy servers. The use of proxy servers protects the exploit server from being discovered.
Health Monitoring Server: The third core component of Angler’s successful operation is a health monitoring server. This server conducts routine “health checks” allowing for the gathering of statistical information (victim geolocation, success/failed compromise rate, etc.). This server essentially verifies that the operation is running smoothly.
The use of a single exploit server that never directly interacts with users allows the Angler group to utilize a single server to manage their exploits with a low rate of being discovered. Serving the malicious payload through a series of proxy servers is the evasive technique utilized to protect the exploit server.
Talos gained an inside view of one of the health monitoring servers utilized by an Angler Exploit Kit instance active throughout the month of July 2015. This single server was seen monitoring 147 proxy servers, allegedly generating approximately $3 million in revenue over the span of that single month of July.
Additionally, Talos has determined that this single Angler instance is (or was) responsible for half of all Angler activity that they observed and is likely generating more than $30 million annually. Furthermore, this revenue was generated by the distribution of Ransomware.
The primary Internet Service Providers (ISPs) that Talos observed during their analysis were determined to be Limestone Networks and Hetzner. An example of the threat actors’ activities performed while developing their Angler infrastructure, based on information provided by Limestone Networks, can be summarized as follows:
Exploit Breakdown and Malware Payloads
A breakdown of the exploits delivered by the Angler instance examined by Talos in July 2015 is as follows:
The malware payloads delivered by this instance of Angler were primarily ransomware; More than 60% of compromised devices were infected with ransomware. Specifically, the CryptoWall 3.0 and TeslaCrypt 2.0 ransomware variants. Additionally, Angler was also found to be serving the Bedep Trojan Downloader, Ad-Fraud (or Click-Fraud) Trojans, as well as various other keyloggers and varying types of Trojans.
Talos estimates that the examined instance of Angler successfully compromised 40% of the hosts that interacted with it.
The Key to Angler’s Success:
Angler’s high rate-of-compromise is due to the low detection rate of the exploit payloads being served. Talos estimates that in July 2015, approximately 3,000 unique hashes were found to be related to exploits delivered by the kit.
Talos submitted this set of hashes to VirusTotal, and discovered that only 6% of these hashes existed in the VirusTotal’s database. Of this small subset of detected hashes, the majority had relatively low detection rates; most of which were detected by less than 10 Anti-Virus engines.
Talos determined that Angler’s primary targets were users browsing the Web with the Internet Explorer 11 browser, running either the Windows 7 or Windows 8.1 operating system. In theory, throughout the single month of July, Angler may have interacted with more than 13 million unique IP addresses.
Angler’s Revenue Explained
The average life span of a server associated with Angler is 1 day. The below statistics reflect the July 2015 dataset analyzed by Talos:
90,000 Targeted Victims Per Day
9,000 Exploits Served Per Day
3,600 (40%) Systems Successfully Compromised
2,232 (62%) Angler Infections Delivered Ransomware
2.9% (Based on USCert via Symantec) Ransoms Paid Daily
$300 Average Ransom Demanded
147 Total Redirection Servers
64.73 Ransoms Paid Daily
$19,419.00 Daily Ransom Revenue Per Server
$95,153.10 Gross Daily Ransom Revenue
$2,854,593.00 Gross Monthly Ransom Revenue
$34,225,116.00 Gross Annual Ransom Revenue
Cisco Deals a Huge Blow to the Angler Group
Cisco has worked with Limestone Networks, the primary ISP found to be hosting the Angler Exploit Kit, to eliminate the threat actors’ affiliated servers from their network. The actions carried out by Cisco to mitigate this threat from the primary ISP utilized by Angler (allegedly generating approximately $30M of the approximately $60M total annual revenue) likely resulted in a huge financial blow to the miscreants behind Angler. Cisco stated that further actions were being taken to further disrupt Angler’s operations; more can be read on the Cisco Talos Threat Intelligence website.
About the Author Michael Fratello
Edited by Pierluigi Paganini
(Security Affairs – Angler Exploit Kit, cybercrime)