Exploit Kit Activity Quiets, But Is Far From Silent

Here are the exploit kits to watch for over the next three to six months.

Over the past six months, the roar of exploit kits has quieted to a whimper. But that doesn’t mean exploit kit threats are nonexistent. According to security experts, gangs behind them are regrouping, tweaking code and finding fresh software exploits to target.

Here are the exploit kits and exploit kit trends to watch for over the next six months.

RIG: Down But Not Out

According to Zscaler, the RIG exploit kit is diminished, but continues to drop various ransomware payloads such as CryptoShield, Cerber and Locky, primarily in the geographic locations of South America, Southeast Asia, and Australia. That’s a shift, according to Zscaler, from targeting Western Europe, North America, and Russia.

“Unless anything changes, Rig is the exploit kit to watch out for as we head into summer 2017,” said Brad Duncan, threat intelligence analyst, Unit 42, Palo Alto Networks.

He said Rig is the most prevalent exploit kit Unit 42 has seen since Angler exploit kit disappeared in the summer of 2016 and Neutrino exploit kit went private later in September 2016. Rig was formerly a mid-tier exploit kit compared to others; however, it’s been by far the most common since late 2016, he said.

Microsoft has also been tracking RIG (which it calls Meadgive). “Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file,” Microsoft noted.

The Dawn of Sundown

As RIG continues to diminish its impact, the Sundown exploit kit has been sluggishly gaining momentum over the past year. Recently, authors have made noteworthy changes to its landing page. According to Zscaler, those changes include rebranding the exploit kit “Nebula.”

“Where .xyz domains had been the primary choice for hosting landing pages, since Feb. 9, the [criminal organization Yugoslavian Business Network] has been registering domains with many other generic top-level domains in the name of Brian Krebs,” wrote Derek Gooley, security researcher at Zscaler.

Earlier this month, it was the Sundown exploit kit that gained some traction dropping the banker Trojan DiamondFox, Gooley said.

FireEye reports Sundown has shown a propensity of adapting frequently to changes; for example, URI changes and incorporating new techniques such as steganography.

Magnitude at Low Volumes

Once a dominant exploit kit, Magnitude is a shadow of its former threat, according to security experts. “The Magnitude EK continues to operate at low volume, with restricted regional distribution. We typically observe Magnitude affecting Southeast Asian users who visit illegal streaming sites,” Gooley wrote.

He notes that Magnitude’s modus operandi includes distribution via malicious ads distributed via popup and pop-under ad networks attempting to install the Cerber ransomware.

New Terrors

New exploit kits also continue to surface, such as the Terror exploit kit; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.

Terror is typical of newer exploit kits. “It’s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,” said Deepen Desai, senior director of research and operations at Zscaler. Keeping activity regional and limited in scope, he said, suggests criminals are fine tuning Terror before rolling it out to a larger pool of victims.

Check Point said both Rig and Terror have recently been tracked delivering a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners. The security firm reported an uptick in Terror exploit kits in the month of March.

GongDa and KaiXin

Researchers are keeping their eyes on two older exploit kits targeting Korea named GongDa and KaiXin. In January, FireEye reported a Korean news site was redirecting visitors to the GongDa exploit kit, exposing them to malware.

“While GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK’s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively,” wrote FireEye in a research note earlier this year.

Zscaler has spotted a new KaiXin exploit kit campaign as recently as last month. KaiXin, first identified in 2012, also targets Asian sites (Korea in particularly). It’s latest incarnation of the exploit kit features an older antivirus fingerprinting script that attempts to determine the use of security products on the targeted PC’s filesystem before continuing execution. The KaiXin campaign offers exploits for Java, Flash, and Silverlight and if successful installs various Chinese adware packages.

New Targets

But the vital ingredient to a successful exploit kit is a fresh supply of vulnerabilities. To that end, security experts at Unit 42 of Palo Alto Networks note a trend by cybercriminals to target new vulnerabilities in Microsoft’s Edge browser.

Ryan Olson, intelligence director, said crooks behind Sundown have added new Microsoft Edge browser vulnerabilities to their list of attack vectors. Some of the vulnerabilities, according to Olson, include memory corruption flaws within the browser’s rendering engine. He said Microsoft patched the vulnerability last year, nevertheless they found their way into Sundown exploit kit.

Another example of new targets comes from an exploit kit called DNSChanger, spotted in December by Proofpoint researchers. Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.  The goal is to attack vulnerable routers running outdated software and open ports for malicious purposes.

Copycat Trend

Researchers at FireEye said they have noticed a bevy of low-level exploit kit copycat operations that are most likely one-man operations. “While mostly recycling pre-existing techniques, their presence has been fairly consistent, albeit not being a huge threat in terms of numbers,” said Zain Gardezi, staff vulnerability researcher at FireEye.

In these particular cases, it has been observed that the copycats are usually attached with one ad service for a longer period of time for malvertisment delivery, Gardezi said.  Their usage of registered domains are also limited due to the fairly distinguishable pattern. “Some copycats seem to use one particular IP for 3 to 4 days, instead of domain names, and then move on to another,” Gardezi said. Sundown, for example, is known for using old exploits from older exploit kit packages from established players.

With so many big players out of commission, it has given rise to smaller players cutting-and-pasting old exploits to create their own patchwork EKs, FireEye said.

Exploit Kit Struggles

According to researchers, worries of a sudden resurgence in exploit kit activity are low. Unit 42’s Duncan credits better browser security with reducing the effectiveness of exploit kits. Others credit stepped-up defensive mitigation efforts.

“Google Chrome is currently at 58 percent market share, and it’s a much harder nut to crack for exploit kit authors, I think.  Using Chrome as a web browser, I haven’t been able to infect any Windows hosts through exploit kits in recent months,” Duncan said.

He also notes the dwindling popularity of some favorite targets of exploit kits, such as Internet Explorer and Microsoft Edge, are pushing some threat actors out of the EK racket. Duncan said IE and Edge now only have a combined market share of 25 percent.

For its part, Microsoft’s exploit research shows many of the operators behind exploit kits such as Neutrino aren’t making splashy headlines anymore because many have gone into “private” mode, choosing to quietly cater to select cybercriminal groups.

Suggested articles