Threat Management, Malware

Cisco Talos ties Angler disappearance to Russian arrests

Researchers at Cisco Talos believe the disappearance of the Angler exploit kit (EK) from the threat landscape may be a long-term situation and that its absence is most likely tied to the take down of a Russian gang by law enforcement in early June.

Talos blogger Nick Biasini tied together about a dozen strings to come to the conclusion that arrests made in Russia on June 2 of a gang linked to the Russian banking trojan Lurk directly led to the take down of Angler. Talos has identified 125 command and control servers associated with Lurk with 85 percent registered to a single Yahoo email address; john[.]bruggink@yahoo[.]co[.]uk. Another major signal is Lurk was delivered primarily via Angler.

“That email address should be familiar to those that read our research into Bedep as that was one of the three emails associated with registrant accounts that were tied to it as well as Angler. This particular registrant account was of interest because of its role in the back-end communication of Angler,” he wrote.

The reason Biasini believes Angler's disappearance this time is more permanent than when the EK fell of radar screens earlier this year is the fact that other criminal organizations have shifted over to using Neutrino, Rig and other EKs to deliver malware, something that did not happen the first time. These kits have also seen their rental price rise, a sign that demand has increased.

Talos also believes the recent fall off in use of the Necurs botnet, along with its associated Locky and Dridex malware, was also tied to the arrests.

“During the research back in February, we uncovered a couple of C2 domains associated with Necurs that were owned by this same John Bruggink registrant account. Around the same time Lurk went away and Angler disappeared so did the Necurs botnet,” Biasini said.

However, after a three week layoff Necurs is back in business delivering Locky and Dridex.

While admitting he is basing his conclusions on circumstantial evidence, Biasini believes the smoking gun is the Bruggink account.

“If this one group was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars,” he said.

There is an unfortunate downside to this situation. Criminal activity abhors a vacuum and there is an excellent chance these threats will again raise their ugly heads as has happened in the past.

“The best evidence of this was the author of Blackhole exploit kit being arrested, for a time there was an arms race between exploit kits to see who would take the top spot. We expect the same thing to occur now as Angler and possibly Nuclear leave the threat landscape,” he concluded.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.