Angler Fireworks - Analysis of Angler July 2015

Presented at ToorCon San Diego 17 (2015), Oct. 25, 2015, 12:30 p.m. (20 minutes)

Angler Exploit Kit has been everywhere in 2015. From dropping 0-days to domain shadowing it is compromising users at an alarming rate. July was a particularly interesting month for Angler, there were several unpatched vulnerabilities added and the exploit kit itself went through several iterations of evolution. This included multiple significant changes to URL structure of both landing pages and exploit pages. Talos has unparalleled telemetry data and was able to analyze the activity for the month. This includes thousands of runs through Anglers infrastructure. This talk with discuss the findings of the analysis of the data. This includes: Analysis of IP Infrastructure (Life, Frequency, ASN, Location) Analysis of Domain Usage (Domain Shadowing, Subdomain characteristics, Registered Domains) Analysis of Referrers (Type, Frequency, Trends) Includes a previously not disclosed referrer campaign making use of Dynamic DNS providers Analysis of Payload (Frequency, Variety, Characteristics) Analysis of Changes (Landing Page, Exploit Page) Analysis of Landing Page (Content, Obfuscation, Evasion) Analysis of Exploit Page (Content, Encoding, Variety) Coverage of exploits used Impact of HT 0-days on Angler

Presenters:

• Nick Biasini
  Nick Biasini’s interest in computers and technology started at a young age when he tore apart his parents brand new 486SX PC. Ever since he has been tinkering with computers in one way or another. Nick started down the path of information systems in college and has spent his professional career working in information security. Nick has spent time in most roles in a SOC including analyst, engineer, and managing teams. Nick has a master’s degree in digital forensics from the University of Central Florida and has worked for government and private sector environments in his career. Nick has a master’s degree in digital forensics from the University of Central Florida and has worked for government and private sector environments in his career. In his time with Talos Nick has researched a wide range of topics including Exploit Kits and various malware campaigns being distributed through SPAM.

Similar Presentations:

• BSidesLV 2016 / Exposing the Neutrino EK: All the Naughty Bits
• BSides Austin 2016 / Evolution of the Angler Exploit Kit
• BSidesLV 2015 / Angler Lurking in the Domain Shadows