June 13, 2016

Angler Exploit Kit's Last Heartbeat? [UPDATE: 15/JUN/2016]

Nicholas Griffin Security Researcher

Angler Exploit Kit (EK), one of the most advanced and prevalent exploit kits, appears to no longer be active. Only this month it was reported that Angler had introduced a new bypass for Microsoft's EMET so the sudden disappearance of the kit is unexpected. However, it could be related to the recent arrests of a "Russian hacker gang" who were using Angler EK to distribute their "Lurk" banking trojan.

Kafeine reported on his blog that actors who had been using Angler for several years had recently moved to Neutrino to spread their malware. He also stated that Neutrino have doubled the price of their exploit kit, similarly to how exploit kit prices increased after the demise of the infamous Blackhole exploit kit.

Kafeine reported that the last hits he saw on Angler were on June 7, 2016. In Forcepoint's customer telemetry we can see that the last hits we saw were on June 9, 2016.

UPDATE (15/JUN/2016): It is likely that the data we saw on June 8 and June 9 were hits on dead Angler EK URLs from websites that were still compromised, but would not have served any content. Thanks to Kafeine for working with us to determine these potential "ghost" hits.

We will continue to monitor Angler to see if it re-emerges or if it is truly dead and buried. In its absence we expect to see a sharp increase in hits on other active exploit kits such as RIG and Neutrino.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.