Posted: 05 Feb 2015
As we promised in one of our previous blog posts about exploit kits (Nuclear EK), we are going to take a more in-depth look at Angler Exploit Kit. Angler EK is possibly the most sophisticated exploit kit currently used by cyberciminals. It has pioneered solutions that other exploit kits started using later, such as antivirus detection and encrypted dropper files. In addition, Angler tends to be the quickest to integrate the latest zero days, such as the Adobe Flash zero day (CVE-2015-0311) from a few weeks ago, and it employs a notably unique obfuscation. Finally, Angler runs the dropped malware from memory, without ever having to write to the hard drive; this unique technique among exploit kits makes it extremely difficult for traditional antivirus technologies to detect it as they rely on scanning the file system.
While Angler is the most advanced exploit kit in today's threat landscape, Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages:
- Stage 2 (Lure) - ACE has detection for the compromised websites.
- Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page.
- Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.
- Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack