Angler Exploit Kit’s January Vacation

Since last year, we’ve been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits.

At the beginning of this year, we noticed a sudden significant drop in our telemetry for this redirector.

Hits of the redirector that leads to either Angler EK or Neutrino EK.

Interestingly, our Angler telemetry also dropped on the same day. Whereas Neutrino remained active. During that time, we noticed that Neutrino was served directly from compromised websites instead of via a redirector.

Angler EK and Neutrino Hits 2015.12.24 - 2016.01.15

At first glance, it looked as if Angler took a vacation. Perhaps that is mostly true, but looking more closely at our telemetry, there was a very small group that remained active during their supposed time off.

Here are some of the instances that we see in our telemetry.

Angler URLs 2016.01.03

On January 11th, Angler activity started picking up again, while Neutrino activity slowly went down. There seems to be no apparent changes between the Angler EK seen before and after the break, which makes it look like they just took some vacation.

It is also interesting to note that Angler uses non-English words in generating their subdomains. The following are some Finnish words we’ve seen used by Angler in 2015 and 2016.

Angler Finnish 2015

“valtioneuvostossa” means “in the State Council”
“omakotirakentamisessa” means “when building single-family detached homes”

Angler Finnish 2016

“kansatieteelliseen” means “to an enthnological [something]”
“nauhoittamasta” means “from recording”



Articles with similar Tags