'

Guardian article on cybercrime serves up Angler Exploit Kit

The Angler Exploit Kit has been found serving itself up through an old Guardian article about cybercrime gone "out of control."

guardian-angler-malvertising.jpg

Updated: A cybercrime article on the Guardian's website has been found to be serving up the Angler Exploit Kit.

The tainted article from 2011 is called "Cybercrime: is it out of control?" FireEye Labs discovered the problem December 1, and detailed the discovery in this week's post, Cybercrime News Results In Cybercrime Blues.

As it turns out, this instance of Angler infection does not come from a tainted ad. It comes from simply visiting the Guardian's article about cybercrime. ZDNet cautions readers to follow FireEye's instructions: "Visitors to the site are encouraged to use caution to avoid potentially becoming infected."

"Successful exploitation by Angler resulted in a malware infection for readers of the article. ... As it turns out, visiting the page...silently redirected browsers to an Angler Exploit Kit landing page. The article loaded several other pages and links, including links for syndication."

Guardian told FireEye that they "are aware of FireEye's claims and are working to rectify the issue in question as soon as possible."

Visiting the page would execute an embedded script to redirect the reader's browser to an Angler Exploit Kit landing page. FireEye described,

The use of an OLE Automation vulnerability exploited through VBScript, along with evidence of potential Flash exploitation, can be observed in this particular attack.

Angler unconditionally attempted to exploit a popular vulnerability: CVE-2014-6332. This is a memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation, which can be triggered through VBScript with Internet Explorer as seen below.

(...) Angler also unconditionally embedded a Flash object in the page at runtime. The FlashVars included crypto constants for D-H (g, u), and a URL to the payload (exec). Angler's server then decided whether to serve a Flash exploit, presumably based on information in the request like x-flash-version.

This news comes only days after Angler was found serving malvertising to visitors of video site DailyMotion.

In April research by Sophos, the company reported all Angler payloads being delivered through exploits on Internet Explorer (59%) or Flash (41%).

The malware families Angler delivers primarily focus on ransomware, which accounted for over 50% of the attacks. Sophos said, "The most common ransomware was Teslacrypt."

As reported with infamous ransom kit CryptoLocker, ransomware aggressively encrypts all files on a system (including mapped drives, Dropbox files, and all locally connected, network-attached, or cloud-based storage) and demands payment in Bitcoin to unlock the files.

Angler made a splash in January when it was found exploiting a zero-day flaw in Flash Player. That same month, FireEye reported the Angler exploit spreading like wildfire through banner ads on popular adult websites (vis-a-vis a version of Angler EK).

In August, Angler struck on MSN.com with -- you guessed it -- another drive-by malvertising campaign. October saw Angler targeting Daily Mail visitors through poisoned ads as well. Only last month, Angler hit visitors to Reader's Digest and other sites through a WordPress exploit.

Following the Blackhole exploit kit's demise last year, Cisco security researchers were first to call Angler the new "one to watch" in 2015. They were right.

In the meantime, feel better about your ad-blocking decisions if you've visited any website and seen the message, "We notice you're using an ad-blocker. ..."

Editor's Note: A previous version of this article indicated Angler was being served through malvertising. This article has been updated to clearly state Angler's method of delivery and warn readers about visiting the page.