What is: The Angler Exploit Kit

The Angler exploit kit is a pre-packaged toolkit sold on the dark web that criminals use to distribute malware.

With an exploit kit, would-be attackers no longer need to find bugs in software; develop ways to exploit them; set up or take over web servers to host these exploits; and lure victims to booby-trapped websites known as landing pages. Likewise, exploit kit makers do not need to write malware; or keep track of infected computers; or collect money from victims; or exfiltrate and sell stolen.

When a vicitm visits a booby-trapped site they’re redirected to a website that hosts the Angler exploit kit. Here, Angler attempts to systematically exploit the victim with a list of known vulnerabilities (in Flash, Silverlight, Java, JavaScript…​) and deliver the payload.

if  Flash is installed
        try exploit #1
        if exploit works, deliver payload
        else try exploit #2
if JavaScript is installed
        try exploit #1
        ...
else give up

When a vulnerability can be exploited, Angler typically downloads the payload from a third web page. Although this can be any type of malware - like a password stealer or adware - ransomeware now makes up a significant portion of payloads.

You can read more about Angler on the Sophos website, which also contains news about how the exploit kit is now used to deliver Ransomeware.

comments powered by Disqus