Criminal hackers are fickle about their attack vectors. You need to look no further for evidence of this than their constant migration from one exploit kit to another. And while there is an expansive menu of exploit kits, attackers do seem to congregate around a precious few.
Researchers who study exploit kits closely, however, are reporting that two major kits, Angler and Nuclear, may be off the table. Both are responsible for tens of millions of dollars in losses, and countless web-based infections dropping everything from ransomware to click-fraud malware. But the recent arrests of the Russian gang behind the Lurk malware may have put an end to the availability of the Angler Exploit Kit and an expose from Check Point Software Technologies has apparently done in the Nuclear Exploit Kit.
French researcher Kafeine, one who specializes in exploit kits, said he has not seen any Nuclear activity since April 30, and Angler since June 7.
A Proofpoint report published Monday, meanwhile, put some numbers behind the exploit kit downturn. For example, they point to criminal groups which run high-traffic, high-profile malvertising campaigns moving to Neutrino in concert with the shift of CryptXXX distribution from Angler to Neutrino.
“By our estimates, Neutrino dropping CryptXXX [infections] accounts for as much as 75 percent of observed exploit kit traffic, and another 10 percent combined from Neutrino and Magnitude dropping Cerber ransomware,” the report says. “Most of the remaining 15 percent of EK traffic is RIG dropping a variety of payloads (banking Trojan, info stealers, loaders) on lower-value malvertising traffic, with various smaller EKs such as Sundown, Kaixin, Hunter and others making up the last 1 percent of total observed EK traffic.”
The Check Point paper released in April was a two-part series that took apart the Nuclear EK, analyzing not only its infrastructure, but its operational scheme, control panel, master server, infection flow and internal logic. At the time, Nuclear was moving Locky ransomware at a prolific rate; Locky infections were reportedly responsible for high-profile attacks at several U.S. hospitals.
Part two of the report examined Nuclear’s service offerings, taking a dive into the vulnerabilities targeted by its exploits, how payloads are delivered to victims and a characterization of the damage.
“I think Nuclear Pack’s disappearance is tied [to the Check Point paper],” Kafeine said when questioned by Threatpost. “The Nuclear Pack infrastructure has been exposed there, which [in my opinion] scared the owner.”
Kafeine said this might be a temporary situation however based on a post in a Russian forum seen by the researcher that said Nuclear is no longer available for rentals and that the author is gone [from the forum].
“If he comes back, will inform about this officially,” is the rough Russian translation of the forum post.
Angler’s customers, meanwhile, may have moved on to other exploit kits such as Neutrino and RIG. Angler users were busy peddling CryptXXX as a successor to Locky, but a report from the SANS Internet Storm Center on June 9 said there was a sudden change in distribution away from Angler.
CryptXXX is a relative newcomer but already it has been updated with new encryption and also comes with a credential-stealing module.
“CryptXXX was spread via Neutrino before Angler disappeared,” Kafeine said. “But this became massive after the beginning of June when most of the bigger infection paths migrated to this EK.”
Oddly enough, in April, researchers at Palo Alto Networks found a campaign they called Afraidgate that was using Nuclear Exploit Kit to distribute Locky. It switched abruptly to Angler and instead began distributing CryptXXX on infected computers. Gate domains were hosted on afraid[.]org and the Afraidgate campaign—along with pseudo-DarkLeech—helped establish CryptXXX as a major ransomware threat.
Both campaigns, Palo Alto said, use Angler to exploit vulnerable browser-related applications and deliver Bedep, a downloader that grabs CryptXXX and click-fraud malware. CryptXXX is particularly nasty because it not only encrypts local files (encrypted files have a .crypt extension), but also those on all attached storage shortly after the initial infection. The malware also has other capabilities beyond encrypting local files. It copies files putting the victim at risk for identity theft and steals Bitcoins stored on the local hard drives.
In the meantime, it’s doubtful exploit kits will disappear altogether just because of the sheer profits available. But it may a good time to enjoy a temporary respite.
“There are some group that are less active, but my methodology does not allow me to comment on this with solid numbers,” Kafeine said. “I can’t see VirtualDonna anymore. SadClowns is lately quite calm. And there are two other groups that were silent.”