Cisco has landed a major blow to a cybercrime gang using the infamous Angler Exploit Kit, disrupting a $30m annual revenue stream by blocking access to its proxy servers and sharing IoCs with the community.
The networking giant’s Talos group decided to focus analysis on Angler back in July and found that a large amount of activity was focused on a single hoster – Limestone Networks.
It explained the Angler set-up in a blog post:
“Angler is actually constructed in a proxy/server configuration. There is a single exploit server that is responsible for serving the malicious activity through multiple proxy servers. The proxy server is the system that users communicate with, allowing the adversary to quickly pivot and change while still shielding the exploit server from identification and exposure.”
Talos also found a ‘health monitoring server’ which it said conducted health checks and gathered information about victim hosts, remotely erasing the log files once they had been obtained. This discovery helped the researchers understand the scope and scale of the campaign and work out how much revenue it generated.
Just one health server was monitoring 147 proxies over one month, generating over $3m, and targeting up to 90,000 people each day, Cisco said. The group accounted for half of all Angler activity it observed, generating over $30m per year in ransomware infections.
After its discovery, Cisco took several steps to disrupt the group, including updating its products to stop redirects to Angler proxies; releasing Snort rules to detect and block health checks; and publishing IoCs and other details to the community so others can block access.
Other third parties who helped Cisco gain visibility into the cybercrime group included Level 3 Threat Research Labs and OpenDNS.
If Cisco’s estimates are correct, the Angler Exploit Kit generates over $60m each year globally.