• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Malware   »   Angler: The Rise and Fall of an Exploit Kit

Angler: The Rise and Fall of an Exploit Kit

  • Posted on:September 14, 2016
  • Posted in:Malware, Ransomware, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0

In late 2013, the then-infamous Blackhole Exploit Kit (BHEK) disappeared after the arrest of “Paunch,” its author earlier in October 2013.

In March of 2015 we published our report “The Evolution of Exploit Kits” and noted how in 2013 a new exploit kit, Angler, quietly emerged onto the scene and by the end of 2014 had risen to become the number two exploit kit after the Sweet Orange Exploit Kit. We first noted Angler in December 2014.

In our Q2 2015 Quarterly Threat Report, “A Rising Tide: New Hacks Threaten Public Technologies,” we noted that Angler had surpassed the Sweet Orange and Nuclear exploit kits to become the number one exploit kit.

And then, writing about our 3Q2015 Quarterly Threat Report, “Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks,” I said that Angler had risen to the top of the exploit kit heap by maintaining its number one position for two quarters.

Since then, we have seen Angler solidly at the number one position for exploit kits.

Until now.

In our 2016 Midyear Security Roundup:” The Reign of Ransomware” our research shows that Angler’s reign as the top exploit kit came to a sudden end.

All seemed to be going well for Angler. As recently as March 2016, Angler was going strong. It had ended 2015 so strong that we called it the “King of Exploit Kits” in our 2015 Annual Security Roundup “Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies.” In our March 2016 review of exploit kits, we noted how Angler was then showing almost 60% of the exploit kit detections.

At that time, there was no reason to think that things would change. But if you look at our 2016 Midyear Security Roundup you’ll see that by June, Angler had nearly disappeared.

What happened?

Arrests. Arrests are what happened.

In June we noted how the arrest of 50 people in Russia and the United Kingdom for using malware to steal US$25 million, Angler effectively died.

If you look at our exploit kit activity on page 9 of our 2016 Midyear Security Roundup, you can see that even by March, when we were last writing about Angler, there was the beginning of a drop in activity (though it was still clearly number one). But after March there’s an unmistakable drop in Angler until it approaches zero by the end of June with a mere 90K accesses (compared with 1.2 million in January).

All indications are that Angler is gone for good. Its likely authors have been apprehended and other exploit kits are starting to jockey for position: Neutrino and Rig exploit kits are both moving to fill the vacuum.

While it would be better to report that with Angler out of the picture the exploit kit problem is going away, there’s still no doubt that that the fall of Angler means, for now at least, that exploit kit activity is less than it had been. Law enforcement activity isn’t a silver bullet but is a critical part of the overall program of keeping people safe.

The Angler story is an interesting one, though, because it lets us track the full lifecycle of a very successful piece of malware.

Angler Exploit Kit: 2013 – 2016

Number One Exploit Kit: May 2015 – June 2016

Goodbye and Good Riddance

Related posts:

  1. Q3 2015: Angler Exploit Kit at the Top of the Heap
  2. 2016 – The Year of Online Extortion: Proven
  3. Exploit Kit Attacks on the Rise as Astrum Emerges
  4. Don’t Fall for Ticket Scams this Fall

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.