Since last year, we’ve been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits.
At the beginning of this year, we noticed a sudden significant drop in our telemetry for this redirector.
Interestingly, our Angler telemetry also dropped on the same day. Whereas Neutrino remained active. During that time, we noticed that Neutrino was served directly from compromised websites instead of via a redirector.
At first glance, it looked as if Angler took a vacation. Perhaps that is mostly true, but looking more closely at our telemetry, there was a very small group that remained active during their supposed time off.
Here are some of the instances that we see in our telemetry.
On January 11th, Angler activity started picking up again, while Neutrino activity slowly went down. There seems to be no apparent changes between the Angler EK seen before and after the break, which makes it look like they just took some vacation.
It is also interesting to note that Angler uses non-English words in generating their subdomains. The following are some Finnish words we’ve seen used by Angler in 2015 and 2016.
“valtioneuvostossa” means “in the State Council”
“omakotirakentamisessa” means “when building single-family detached homes”
“kansatieteelliseen” means “to an enthnological [something]”
“nauhoittamasta” means “from recording”