The group of cybercriminals behind the Angler browser-based attack managed to compromise registrant accounts from GoDaddy for hosting Flash Player exploits on legitimate websites.

In the past two weeks, Adobe was forced to release two out-of-band security updates for Flash Player, removing two zero-day vulnerabilities (CVE-2015-0310 and CVE-2015-0311) that were being exploited in the wild.

About 1,800 legitimate domains used by Angler operators

This week, another security fix is expected, as cybercriminals discovered another zero-day (CVE-2015-0313) and created an exploit that is actively employed against users of Internet Explorer and Mozilla Firefox running on any version of Windows.

The first two exploits are delivered through Angler, while the third one is flung by Hanjuan exploit kit, according to independent researcher Kafeine.

Security researchers from Cisco monitored the activity of Angler and noticed that with CVE-2015-0311 the campaign started on January 26, the most active days being January 28 and 29.

They determined that the cybercriminals relied on multiple layers of subdomains in order to escape detection. During the investigation, about 1,800 domains associated with malware landing pages and exploits have been seen by Cisco.

The strategy used by the bad actors seems to involve compromising a large amount of registrant accounts and setting up subdomains for the delivery of the malicious files. In some cases, the domains were used only once before being discarded.

Most registrant accounts are from GoDaddy

Cisco says that the largest part of registrant accounts controlled by the cybercriminals have been registered through Internet domain registrar and web hosting company GoDaddy. It may seem like a small number, but many of the accounts own more than 45 unique domains, which greatly increases the malware distribution means.

“To take the approach a step further these actors have utilized another tier of the subdomains to serve as the initial redirection page. Our telemetry data points to another ~650 of these subdomains linked back to a single IP address, 176.103.144.48. The main distribution method is malvertising with the malicious advertisement pointing to an initial tier of compromised subdomains. These sites then redirect to another subdomain delivering landing page and exploitation,” a blog post from Cisco reveals.

Catching malvertising campaigns is particularly difficult, because the ads are provided by legitimate advertising networks, and in most of the cases, each viewer is served a different banner, depending on geographical location, observed interests, web browser used and other parameters.

Angler exploit kit has been around for quite some time and it keeps on changing and adapting to avoid detection, and judging by the month of January, it may be involved in large attacks through the year, Cisco believes.