Two of the most popular methods of delivery for various types of malware are the Angler and Rig exploit kits. These kits employ known vulnerabilities to exploit a user’s web browser and deliver various payloads such as TeslaCrypt and the fairly new Locky ransomware. For more information on exploit kits and protecting yourself from them, see this past blog post. We’ll be taking a look at how we can leverage some of the techniques that the Angler actors utilize — namely domain shadowing and common IP’s — in conjunction with information available in Investigate to uncover domains that are part of the Angler infrastructure before they have been used to infect users.


According to a writeup by the Talos group titled “Threat Spotlight: Angler Lurking in the Domain Shadows,” domain shadowing is the “process of using users’ domain registration logins to create subdomains (i.e.,” In the example given, the registrant account for “” has been compromised. In the case of Angler, would live at one IP, while would resolve to an Angler IP. Additionally, since domain shadowing requires control of the domain registrant’s account, any domains registered with the same account used to register are also considered compromised by association. Let’s look at how we can utilize some of the Investigate features to preemptively block these compromised domains.


Recently, OpenDNS researchers have been working on a scanner that allows us to identify new Angler gates before they experience spikes in traffic. We will take just one of the domains found by this scanner, and demonstrate how this initial indicator allows us to find a whole slew of additional Angler domains.

The shadowed Angler subdomain that the scanner found was ef[.]lawers[.]us. Pictured below is the dns traffic for this domain when it was first picked up by the scanner.

Lawers[.]us Traffic Graph Pre-Spike

Traffic graph of lawers[.]us before the Angler traffic spike.

The WHOIS information in Investigate shows that this particular registrant account has 20 other domains associated with it.

Lawers[.]us Whois Information

Lawers[.]us WHOIS Information

Some of these domains are currently registered to this account, while others have been associated with the registrant in the past, but are no longer under their control.

Domains registered under the compromised registrant account.

All of the current domains are considered compromised, since the Angler actors have control over this registrant’s account and can create new Angler subdomains as they please. In addition to the WHOIS information, the Angler IP can be used in Investigate to find other Angler subdomains pointing to the same IP address. In the screenshot below, the effects of domain shadowing can be seen, as the root domain points to one IP (, while the shadowed subdomain points to an Angler IP (

DNS response for the root domain and the seen angler subdomain.

DNS response for the root domain and the seen angler subdomain.

Searching the IP of the shadowed subdomain in Investigate results in the following known domains that resolve to that IP.

Angler subdomains seen resolving to the same IP address.

Angler subdomains seen resolving to the same IP address.

All of these domains are serving Angler. Like the initial domain, the registrant accounts of all of these domains are compromised; thus, the WHOIS information for all of these domains can be used to find even more compromised domains as was just demonstrated.


Here is a screenshot of the traffic to the initial domain (lawers[.]us) just hours after it was picked up by the Angler scanner.

Traffic graph of lawers[.]us following the Angler traffic spike.

Traffic graph of lawers[.]us following the Angler traffic spike.

Pictured is the characteristic spike in traffic that accompanies Angler. A similar spike can be seen in the traffic of many of the other registrant’s domains, showing the Angler actors’ full control over the user’s account. The traffic graphs of some of these domains are pictured below.

Byonx Traffic Graph

Choogli Traffic Graph

Nowcuredoc Traffic Graph

With this method, Investigate users can enumerate hundreds of compromised Angler domains off of just one initial indicator.

This post is categorized in: