2016-06-11 - Landscape

Is it the End of Angler ?

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.

On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)

EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber Ransomware
On the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.
But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.
They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.

Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.

Last Angler pass I captured on 2016-06-07
EITest into Angler dropping CryptXXX 3.200 U000017
On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :

Last Hit in my Angler tracker.

After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]
Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already

"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U000010
"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011
This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXX
Illustrating with a picture of words and some arrows:

MISP : select documented EK pass with associated tags.
1 arrow where you would have find Angler several days before.
(+ SadClowns + GooNky not featured in that selection)

With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.

Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.

So is this the End of Angler ? The pages to be written will tell us.

“If a book is well written, I always find it too short.” 
― Jane Austen, Sense and Sensibility

Post publication notes:

RIG : mentioned they were sill alive and would not change their Price.
Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :
------Google translate:-----
Tarif week on a shared server:
Rent: $ 1500
Limit: 100k hosts per day
One-time daily discharge limits: $ 200

Rate per month on a dedicated server:
Rent: $ 4000
Limits: 500k hosts per day, and more - on an individual basis.
One-time daily discharge limits: $ 200
So now only price per week is doubled and month rate + ~20%


Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.

Read More :
XXX is Angler EK - 2015-12-21
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News
Neutrino EK and CryptXXX - 2016-06-08 - ISCSans
Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Kaspersky

How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList