The creator of the infamous Eleonore exploit pack has released a new version of the attack toolkit, adding some new exploits, including one for a zero day vulnerability. The new version of Eleonore is selling for $2,000, a premium price even in the world of high-level exploit kits.
Eleonore is one of a handful of exploit kits that attackers can buy for use in their operations, usually without much need for modification or effort on their part. It’s been around for several years and has gone through various iterations in the last couple of years, gradually adding new capabilities and exploits. However, researchers have said that the exploits included in the Eleonore kit aren’t necessarily worth the price that the kit’s creator charges for it.
Many of the exploits, especially in earlier versions, are not original work by the creator, who goes by the name of Exmanoize, but rather are from Milw0rm and other exploit repositories. Researchers have identified a number of attacks that have included the use of the Eleonore kit. The newest version, which appears to have been released sometime on Monday, includes some newer exploits, along with a new zero-day vulnerability customers can exploit. It’s not entirely clear which zero-day bug Exmanoize included in Eleonore 1.6.3.a, but researchers believe that it may be the Internet Explorer CSS flaw disclosed in December.
“Exmanoize seems to have released a new version of his exploit pack today, adding an 0day, some exploits, and research-resistant functionality to rev his highly priced pack. Groups have been using this pack to deliver client side exploits and malware payloads across the net. We’ll be watching for more high profile attacks from these groups using his pack,” Kurt Baumgartner, senior security researcher at Kaspersky Lab, said.
The Eleonore kit, like many similar kits, has a modular, subscription-based model that enables customers to pay one fee for the kit itself and then pay lower prices for updates and additional exploits. The current version of Eleonore is selling for $2,000, and updates are now selling for $100. If a customer wants to bind the pack on additional domains, that requires an additional fee as well. Analyses of previous versions of the exploit kit revealed that the tool has all of the capabilities that one would expect, including the ability to evade detection by anti-malware suites and functionality that helps prevent analysis by researchers.