Where Have All The Exploit Kits Gone?

For a long time, exploit kits were the most prolific malware distribution vehicle available to attackers. Where did they go and what’s replaced them?

The bloom is off exploit kits.

Once a mainstay for cybercriminals, attacks tied to exploit kits have now dried up to just a trickle. For sure, they haven’t gone away. But researchers say Angler, Neutrino and Nuclear, kits that once dominated the threat landscape, are gone; usurped by new threats and a resurgence in old ones.

“When we compare exploit kit activity from January to December of 2016 there’s a drop of 300 percent in activity. That’s primarily due to these EKs dropping off the face of the Earth,” said Karl Sigler, threat intelligence manager at Trustwave.

Exploit kits are a type of malicious toolkit chockfull of pre-written exploits for targeting various browser plugins such as Java and Adobe Flash. Kits are planted on booby-trapped sites or can be used in malvertising campaigns and spring into action if they can detect a vulnerability in a visitor’s browser or web application.

Exploit kits in 2016. [Source: Infoblox]

In their heyday Angler, Magnitude, Neutrino, and Nuclear exploit kits accounted for 96 percent of exploit kit activity at the end of 2015, according data from security firm Infoblox. Today, exploit kits are mostly dormant and development has gone stagnant.

Where did they go and why?

Arrests Send Crooks Scurrying

Some credit the downturn in exploit kit activity in 2016 to high-profile arrests of members of cybercrime outfits such as Lurk, who were behind the Angler Exploit Kit. In the case of Lurk, dozens of hackers were arrested across Russia in June 2016.

According to a detailed report by Kaspersky Lab on the takedown, the gang controlled Angler’s infrastructure and development, and was behind its distribution. At the time, Angler was one of the most notorious exploit kits on the Internet.

“The arrests of Lurk and the subsequent demise of Angler was not the single event that triggered exploit kit gangs to go dormant. But looking back, it’s hard not assume that others behind Neutrino and others didn’t see this as a harbinger,” said Deepen Desai, senior director of research and operations at Zscaler.

But even before the Lurk arrests, the Nuclear crew had all but shut down its operation in the May and June timeframe. That proceeded an in-depth analysis of the gang’s malware-as-a-service infrastructure by Check Point researchers.

The third nail in the coffin for dominant exploit kits was the decline Neutrino. It abruptly shut down in September following a joint Cisco and GoDaddy operation where a large number of malvertising campaigns spreading on the exploit kit were shuttered.

Patrick Wheeler, director of threat intelligence at Proofpoint notes that exploit kit activity has declined 93 percent between January and September last year, but notes activity hasn’t stopped altogether.

Wheeler said after Nuclear and Angler went dormant, criminals behind exploit kits have downsized and gone deeper underground focusing on private development and smaller campaigns. Such is the case with Magnitude, RIG, and Sundown, he said.

Strong Offense and Even Better Defense

It hasn’t been just a strong offense credited for pointing exploit kit gangs back into the shadows. A number of researchers credit a strong defense.

“Crimeware tools are only as good as their target’s defenses,” said Amol Sarwate, director of engineering at Qualys. He said recent efforts to fortify Microsoft’s browsers, Adobe’s Flash and Oracle’s Java browser components against exploit kit activity have paid off.

“There used to be a lot of low hanging fruit,” he said. “For now, that’s not the case.”

“Adobe Flash has been the top target for exploit kits such as RIG and Angler for a long time. Out of more than 3 billion scans that Qualys performs each year we saw that in 2016 Adobe flash vulnerabilities were patched about 40 percent faster as compared to the prior year. This implies that the industry is doing a better job with patching Flash, and although Flash is not dead it is being fixed more quickly,” according to a 2016 Qualys analysis.

Oracle has also taken steps to defend against crimeware used in exploit kits. Last year, the makers of Java announced it was pulling the browser plugin from the next desktop version of Java (Java JRE 9). That meant Java software will no longer plug directly into the user’s Web browser, reducing the number of browser attacks that target outdated Java plugins.

[Source: Qualys]

“As much as I’d like to say it’s one thing that we did, it wasn’t,” said Peleus Uhley, lead security strategist within Adobe’s Secure Software Engineering Team. He said work with Microsoft and Google has paid off especially when it comes to mitigating against memory-corruption bugs, a popular target of vulnerabilities exploited by exploit kits.Uhley said Control Flow Guard, a memory corruption security technology baked into Windows 10, has been an effective tool at mitigating against use-after-free attacks, which became a favorite crimeware exploit once ASLR and DEP put a damper in buffer overflow attacks.

“It’s a cumulative effort on our part and the security community. Nobody is resting on their laurels. The attackers continue their development and so will we,” Uhley said.

Crooks Try Different Tactics

Cybercriminals have continued to develop new delivery mechanisms for planting their malicious payloads on targeted systems. But, the focus isn’t currently on exploit kits, rather social engineering-based attacks, said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.

“It’s not as if criminals have thrown in the towel,” Olson said. “A big component in a drought of exploit kit development has been the rise of Office macros used to deliver malware. For the past year we just have seen a continuous increase of macro document-based attacks replacing a lot of what exploit kits used to do,” he said.

Locky ransomware, Dridex banking Trojans and Gootkit Trojan information stealers all used to be distributed mainly via exploit kits and are now being spread primarily via spam, phishing and spear phishing campaigns.

“What we are finding it’s much easier to use social engineering to trick people into installing malware than to exploit a vulnerability,” said Proofpoint’s Wheeler. “What attackers have done is replaced the automated exploit with (socially engineered) ploys to get people to click.”

That type of social engineering has moved beyond the inbox as well, Wheeler said. “We saw attackers trying to trick Google Chrome users to install ‘Chrome Font’ malware on compromised websites,” Wheeler said. Instead of being attacked via an exploit kit, attackers presented visitors with a fake prompt to install a Chrome plugin called “Chrome Font” that was actually a type of ad fraud malware known as Fleercivet.

While spam-based ploys that enlist social engineering tricks may seem like a crude alternative to exploit kits, Trustwave’s Singler says they aren’t. “Social engineering attacks have always been popular, especially in phishing attacks. However, I would not say that social engineering attacks are any cheaper or easier to use. Good social engineering attacks require research if it’s a targeted attack or infrastructure like a spam botnet if it’s more of an opportunistic attack,” he said.

In June, Microsoft Malware Protection Center reported a resurgence in the use of Office document macro attacks. In December, attackers revived the old spamming technique known as hailstorm and leveraged the Necurs botnet to spread both the Dridex banking malware and Locky ransomware via malicious Word documents.

Despite being a fairly archaic attack vector, it’s managed to work for attackers, said researchers.

Gangs Quietly Regroup

Meanwhile, new exploit kits are quietly under development. One example of this is an exploit kit called DNSChanger, spotted in December and being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.

Through a complex series of steps, DNSChanger is able to decrypt the target’s router fingerprints to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger kit which returns the proper instructions to perform an attack on the router,” according to Proofpoint. The goal: open ports on the router for malicious purposes.

New exploit kits also continue to surface, such as the Terror EK; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Zscaler’s Desai notes that Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” he said.

Additional exploit kit innovations spotted by Zscaler are more kits leveraging SSL in order to protect the landing pages and gates to get past network appliances. Desai notes newer exploit kits are adding more anti-analysis fingerprinting code to avoid being detected in sandboxed environments.

“Exploit kits still pose a significant threat. There is nothing new about exploit kit authors hiding their activities and frequently changing tactics,” Desai said. “There is no reason to believe we won’t see a resurgence of exploit kits in the future. The question is when.”

Suggested articles