Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed by a Texas startup was integrated into the Sundown Exploit Kit.
The proof-of-concept exploit was developed by Theori, a research and development firm in Austin, which opened its doors last spring. The PoC targets two vulnerabilities, CVE-2016-7200 and CVE-2016-7201, in Microsoft Edge that were patched in November in MS16-129 and privately disclosed to Microsoft by Google Project Zero researcher Natalie Silvanovich.
French researcher Kafeine said on Saturday that he had spotted weaponized versions of the Theori exploits in Sundown two days after they were made public. The payload is most likely the Zloader DLL injector, but Sundown has also moved other malware in the past including banking Trojans such as Zeus Panda and Dreambot, and even Bitcoin mining software. Kafeine said this is the first significant exploit kit activity he’s seen in six months.
This is the second time a Theori proof-of-concept exploit has ended up in an exploit kit, Kafeine said, harkening back to CVE-2016-0189, which was patched in May by Microsoft and yet eventually found its way into Neutrino, RIG, Sundown and Magnitude.
Kafeine said he expects other exploit kits to quickly integrate this attack as well, but activity could be slowed by Christmas and New Year holidays in the West, and the recently concluded Russian holiday season.
A request for comment from researchers at Theori was not returned in time for publication. In the Readme for the exploits posted to Github, Theori said its PoC was tested on the latest version of Edge running on Windows 10. The vulnerabilities are in the Chakra JavaScript engine developed for Microsoft in Internet Explorer 9. The Theori exploits trigger information leak and type confusion vulnerabilities in the browser, leading to remote code execution.
The bugs were patched Nov. 8 by Microsoft in a cumulative update for the Edge browser; Microsoft characterized them as memory corruption flaws and rated them both critical for Windows clients and moderate for Windows server. Microsoft described potential attacks in its security bulletin:
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
Exploit kits are still in the wild, spreading everything from ransomware to click-fraud malware. The integration of new exploits, however, has slowed significantly since the erasure of Angler and other popular kits from the underground. Angler’s disappearance coincided with the June arrests of 50 people in Russia allegedly connected to the development and distribution of the Lurk Trojan. Researchers at Kaspersky Lab who investigated the infrastructure supporting Lurk said there was little doubt that the criminals behind Lurk were also responsible for Angler’s constant development and profit-making.
Since the end of the summer, however, exploit kit development has all but ended while attackers have returned to large-scale spamming campaigns and a resurgence of macro malware to move attacks along.
“Regarding the why, I don’t know for sure,” Kafeine said. “Either it’s harder to code those, [or] those who were providing fully working exploits (for Angler for instance) are not anymore into this.
“I think [exploit kits] have not been so far behind in years.”