Two of the most popular methods of delivery for various types of malware are the Angler and Rig exploit kits. These kits employ known vulnerabilities to exploit a user’s web browser and deliver various payloads such as TeslaCrypt and the fairly new Locky ransomware. For more information on exploit kits and protecting yourself from them, see this past blog post. We’ll be taking a look at how we can leverage some of the techniques that the Angler actors utilize — namely domain shadowing and common IP’s — in conjunction with information available in Investigate to uncover domains that are part of the Angler infrastructure before they have been used to infect users.
According to a writeup by the Talos group titled “Threat Spotlight: Angler Lurking in the Domain Shadows,” domain shadowing is the “process of using users’ domain registration logins to create subdomains (i.e., says.imperialsocks.com).” In the example given, the registrant account for “imperialsocks.com” has been compromised. In the case of Angler, imperialsocks.com would live at one IP, while says.imperialsocks.com would resolve to an Angler IP. Additionally, since domain shadowing requires control of the domain registrant’s account, any domains registered with the same account used to register imperialsocks.com are also considered compromised by association. Let’s look at how we can utilize some of the Investigate features to preemptively block these compromised domains.
A CASE STUDY
Recently, OpenDNS researchers have been working on a scanner that allows us to identify new Angler gates before they experience spikes in traffic. We will take just one of the domains found by this scanner, and demonstrate how this initial indicator allows us to find a whole slew of additional Angler domains.
The shadowed Angler subdomain that the scanner found was ef[.]lawers[.]us. Pictured below is the dns traffic for this domain when it was first picked up by the scanner.The WHOIS information in Investigate shows that this particular registrant account has 20 other domains associated with it. Some of these domains are currently registered to this account, while others have been associated with the registrant in the past, but are no longer under their control.
All of the current domains are considered compromised, since the Angler actors have control over this registrant’s account and can create new Angler subdomains as they please. In addition to the WHOIS information, the Angler IP can be used in Investigate to find other Angler subdomains pointing to the same IP address. In the screenshot below, the effects of domain shadowing can be seen, as the root domain points to one IP (126.96.36.199), while the shadowed subdomain points to an Angler IP (188.8.131.52).
Searching the IP of the shadowed subdomain in Investigate results in the following known domains that resolve to that IP.
All of these domains are serving Angler. Like the initial domain, the registrant accounts of all of these domains are compromised; thus, the WHOIS information for all of these domains can be used to find even more compromised domains as was just demonstrated.
Here is a screenshot of the traffic to the initial domain (lawers[.]us) just hours after it was picked up by the Angler scanner.Pictured is the characteristic spike in traffic that accompanies Angler. A similar spike can be seen in the traffic of many of the other registrant’s domains, showing the Angler actors’ full control over the user’s account. The traffic graphs of some of these domains are pictured below.
With this method, Investigate users can enumerate hundreds of compromised Angler domains off of just one initial indicator.