2015-12-21 - Connect the dots

XXX is Angler EK


Snipshot of MonterAV Affiliate


As I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.

XXX Control Panel
Login Page.


XXX is Angler EK ( it's the real name of its most documented instance at least)

Angler EK / XXX  IE sploit only Stats on 2015-07-25
(for some reason Flash Exploits were not activated on that thread)
Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)

You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :
Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.

Snipshot of "The Transition" after Paunch's Arrest

But Angler was around before the Reveton team started to use it.

Here is one used against Ukrainian that i captured  in August 2013

2013-08-27 - Exploit Kit unknown to me at that time
Ancestor of Angler EK as we know it
[Payload here is most probably Lurk]
when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.

A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitors

So the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.

This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march

2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits
[Payload here is most probably Lurk]

Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014

Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!

Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)

Read More :
Police Locker land on Android Devices - 2014-05-04
Paunch's arrest...The end of an Era ! - 2013-10-11
Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurity
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09
A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - Securelist

Post publication Reading :
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]
Is it the End of Angler ? - 2016-06-11
How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList