from Malware don't need Coffee
Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th, Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.
---
On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)
EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber Ransomware |
But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.
They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.
Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.
Last Angler pass I captured on 2016-06-07 EITest into Angler dropping CryptXXX 3.200 U000017 |
Last Hit in my Angler tracker. |
After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]
Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already
"WordsJS" into Neutrino > CryptXXX U000010 2016-06-10 |
"ScriptJS" (Named NTL/NTLR by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011
This gang was historically dropping Necurs, then Locky Affid13 before going to CryptXXX
|
MISP : select documented EK pass with associated tags. 1 arrow where you would have find Angler several days before. (+ SadClowns + GooNky not featured in that selection) |
With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and begining of 2016...we might think there is a connection and that some actor are stepping back.
Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.
So is this the End of Angler ? The pages to be written will tell us.
“If a book is well written, I always find it too short.”― Jane Austen, Sense and Sensibility
Acknowledgement:
Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for his help on several points.
Read More :
XXX is Angler EK - 2015-12-21
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News
Neutrino EK and CryptXXX - 2016-06-08 - ISCSans
Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Kaspersky