Cyberoam Blog : Angler Exploit Kit Uses Domain

Shadowing and Fast Flux Technique to Evade

Detection
In recent times Angler Exploit Kit has become a hot favourite amongst threat actors. Now a new
technique known as Domain Shadowing is gaining prominence. In this technique, hackers steal
domain registrant credentials and create thousands of sub-domains that are used in covering
tracks while re-directing victims to the compromised websites and hosting malicious viruses
online. Another similar technique used by hacktivists involves changing of IP Address allocated to
a domain to avoid blocking, blacklisting and filtering.
While Domain Shadowing rotates sub-domains associated with the primary domain involving one
or few IP Addresses, the technique known as Fast Flux juggles a single domain with a large group
of IP addresses. It is reported that over 10 thousand GoDaddy domains were recently
compromised, however it wasnt established if it happened due to compromise of GoDaddy
Infrastructure. It probable that because GoDaddy own 33% of domains on the internet, it topped
the chart and the end user accounts were compromised to create these compromised domains.
Domain shadowing using compromised registrant credentials is the most effective, difficult to
stop, technique that threat actors have used to date. The accounts are largely random so there is
no way to track which domains will be used next. Additionally, the subdomains are very high
volume, short lived, and random, with no discernible patterns. This makes blocking increasingly
difficult. Finally, it has also hindered research. It has become progressively more difficult to get
active samples from an exploit kit landing page that is active for less than an hour. This helps
increase the attack window for threat actors since researchers have to increase the level of effort
to gather and analyze the samples. said Nick Biasini, a Security Researcher.

Let us try to understand the Attack Methodology step

by step
Victims are lured into malicious advertisements shown in web browser, a technique known
as Malvertising.

Once clicked, the malicious advertisement forwards the victim to the first tier of subdomains known as gate.

This page is responsible for redirecting victims to a landing page that hosts the Angler
Exploit Kit serving an Adobe Flash or Microsoft Silverlight vulnerability exploit.

This final page is heavily rotated and sometimes those pages remain active only for a
couple of minutes.

Cyberoam Recommendations:

Please keep your AV and IPS enabled for web-browsing. Keep the database update set to
auto-update.

Keep Adobe and Microsoft updated with the latest patch.

Have effective web-filtering in place so that users do not go to dark isles of web world
where malvertising is more common and frequent

CONSULTCORP Solues Tecnolgicas

Rua Mateus Leme, 2004 | Centro Cvico | CEP 80530-010 | Curitiba | Paran
Fone (41) 3350-6042 Fax (41) 3350-6101
www.consultcorp.com.br