Terror Exploit Kit Evolves Into Larger Threat

The Terror exploit kit has matured into a greater threat and carefully crafts attacks based on a user’s browser environment.

The relatively new Terror exploit kit is bucking the downward trend in the EK market, and is steadily evolving into more of a threat.

Researchers at Cisco Talos said Terror has abandoned an early strategy that included “carpet-bombing” a target’s browser to one that now uses exploits that precisely target a victim’s particular browser configuration. It’s also equipped with anti-detection features.

The kit is one of several new players that surfaced after the market consolidated last year, according to Cisco. “When Angler and friends disappeared, new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK,” wrote Holger Unterbrink and Emmanuel Tacheau, researchers at Cisco who posted their research Thursday.

Over the past several months, researchers say they have seen a “fast evolution up to the latest version” of Terror.

“We identified a potentially compromised legitimate website acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later,” they wrote.

To Cisco, this is an indicator that criminals behind Angler, RIG and Terror are likely sharing resources or pirating the others’ means of distribution and attack tools.

As to Terror’s biggest improvements, researchers said the exploit kit now has the capability to evaluate a victim’s user environment (operating system, patch level, browser version and installed plugins) and use only the most potentially successful exploits against the victim.

This makes it harder for an investigator to fully uncover which exploits they have, Unterbrink and Tacheau wrote. Terror is also using cookie-based authentication in its attack chain. “This prevents anyone from downloading the exploits directly. Someone who did not follow the full attack chain may be a competitive cyber criminal who is trying to steal the exploits or a forensic investigator,” researchers wrote.

The exploits Terror is using aren’t new, just new to Terror, said Nick Biasini in an interview with Threatpost.

“In the past, Terror would send a wide array of exploits at the end system hoping that one would compromise the system.  Today, Terror is more selective and leverages the information gained from the landing page to deliver exploits to which the system is potentially vulnerable,” Biasini said.

The attack chain observed by Cisco begins with a compromised website that redirects the victim to the Terror landing page using an “HTTP 302 Moved Temporarily response.” The landing page is filled with random “Lorem Ipsum” text and also some obfuscated JavaScript code to evaluate the target’s browser environment and plugins in use such as ActiveX, Flash, PDF reader, Java, Silverlight and QuickTime, researchers wrote.

“The POST request generated by this page is answered with an HTML page including a JavaScript and a VBScript. These scripts include the URL pointing to the CVEs they are going to exploit,” Unterbrink and Tacheau wrote. After assessing and exploiting a browser’s vulnerability, attackers then attempt to download the final malware.

In one instance observed by Cisco, a JavaScript file exploited a use-after-free vulnerability in Microsoft Internet Explorer 6-10 vulnerability (CVE 2013-2551). “After exploitation, it generates another JScript file, writes it to disk and executes it via command line,” researchers explain. “This script downloads the encrypted binary stream from the EK website, decodes it, saves it to disk with a random name and finally executes it.”

The executable used was a variant of the Terdot.A/Zloader malware downloader, Cisco said.

Researchers say they have observed similar behavior while monitoring the Sundown exploit kit, which also drops the Zlaoader malware. “Terror EK is known for using exploits used by Sundown, so it seems to be they also use payloads from Sundown,” researcher said.

 

Suggested articles