Top-tier news sites, entertainment portals, and political commentary sites were among the victims of a massive malvertising campaign related to the Angler Exploit Kit. This campaign is targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised ad network in these highly-visited mainstream websites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems.Read More
An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the…Read More
Early this year, we reported that in 2015, Angler came out as the top exploit kit, having contributed 59.5% in the total exploit kit activity for the year. Now, there’s barely any pulse left.
After the arrest of 50 people accused of using malware to steal US$25 million, it is interesting to note that Angler basically stopped functioning. With Angler’s reported inactivity, it appears that cybercriminals are scrambling to find new exploit kits to deliver malware. Angler had been the exploit kit of choice because it was the most aggressive in terms of including new exploits and it was able to apply a lot of antivirus evasion techniques such as payload encryption and fileless infection.Read More
When it comes to exploit kits, it’s all about the timing. Exploit kits often integrate new or zero-day exploits in the hopes of getting a larger number of victims with systems that may not be as up-to-date with their patches. We found two vulnerabilities that were now being targeted by exploit kits, with one being…Read More
We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze.Read More