In the attacks observed by researchers, the Angler campaign involves malvertising and exploits for two recently patched Adobe Flash Player vulnerabilities. The exploit kit uses its fileless installation feature to write TROJ_RECOLOAD.A into the device’s memory instead of its hard drive where it can be detected more easily.
After it’s deployed on a computer, TROJ_RECOLOAD.A checks for the presence of virtualization, sandbox and analysis tool modules, it checks the name of the current user to see if it’s related to malware analysis, and scans running processes in search of applications such as Wireshark, Dumpcap, TCPView, and OllyDbg. If there is any indication that it’s being analyzed, the malware doesn’t execute its main routine.
If the presence of malware analysis tools is not detected, the Trojan checks the infected system to determine which of three payloads to drop.
In the first case, the threat checks the system’s URL cache for PoS-related URLs. In the second case, it uses the “net view” command to determine if the computers on the infected network have names like “POS,” “STORE,” “SHOP” or “SALE.” If none of these conditions are met, the malware drops its default payload.