nformation security technology is an endless loop of change and evolution in both offensive and defensive ways. Blackhats create demand for new offensive technologies; whitehats respond with new defensive barriers. An exploit kit (EK) is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it. Exploit kits discover and exploit vulnerabilities to upload and execute malicious code in the client browser. In today’s blog post we are going to briefly review currently used EKs, along with their delivery techniques, exploits and malicious payloads.
Reportedly, the infamous players Angler and Neutrino have now stepped down, and are no longer seen in the wild [1], all the while Rig is running strong since 2014. According to research by Talos Intelligence [2], Sundown has also become an important player since 2016.
Techniques
Even though there have been reports of exploit kits pushing cleartext code [3] to their victims, most modern exploit kits use advanced techniques for hiding their code. Among one of the more notable and interesting techniques recently seen is steganography [4], which is the practice of concealing messages or information within other nonsecret text or data. By embedding malicious code within images it becomes impossible to detect by an untrained eye, and difficult to reverse, especially if the injected bytes are further obfuscated.
Second commonly used technique to pressure the victim into installing malicious software is social engineering [5], which is the practice of psychological manipulation of people into performing actions or divulging confidential information. Victims are served malicious content that is designed to toy with their emotions, such as fear, happiness, the will to help others, etc. to make the victim visit a malicious page.
Last but not least, there are browser lockers. Browser lockers normally rely on JavaScript to render a user’s browser unusable by continuously showing alert messages, pop-ups, or going in fullscreen mode. This loop continues until the user performs a specific action, which is usually installing software or calling a fake tech support number.
Exploits
Exploits commonly used by EKs are targeted against all the common suspects: Microsoft IE/Edge, Adobe Flash, Java, and Silverlight. Some EKs also have Mozilla Firefox, Google Chrome and Opera exploits. To give you an idea, there is an outdated list of Common Vulnerability Enumerations (CVEs) [6] previously seen in various packs. Some of those CVEs are still used in modern packs, since a vast majority of users do not apply security updates regularly, or even worse – use End of Life (EOL) systems, such as Windows XP.
After leaks from the Hacking Team and the like, a wave of Flash exploits dominated the market. At one point Flash CVEs were literally submitted by the dozens on a daily basis. So many were submitted in a short period of time that now all major web browser vendors block outdated Flash plugins, with plans to completely phase out Flash in favour of HTML5 [7].
The “winner” of course remains Internet Explorer. This browser has seen so many reliably-exploitable vulnerabilities that now no self-respecting user will even touch it with a stick. IE’s younger brother, Microsoft Edge, seems to be following in the same steps, potentially becoming the next big thing on the EK market.
Several exploits currently implemented in Sundown and Rig EKs [8] have been released to the public domain. By analyzing these, you may get a better understanding of the state of affairs.
Malware
There are various common malicious programs circulating in the wild and pushed to exploited clients. Consistent with the global trend [9], all EKs are mostly infecting users with ransomware[10]. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. This is achieved by encrypting the entire hard drive of the infected computer, rendering all information inaccessible. The victim is then asked to pay a ransom for the decryption key to be able to recover his or her files. If the ransom is not payed on time, the price is usually increased, and if the payment deadline is missed again, the decryption key is deleted. Albeit having payed the ransom, there is no guarantee that the victim will receive the decryption key, nor that the ransomware will be deleted. It is common practice to continuously infect the same clients that keep paying the ransom.
All modern EKs are seen to distribute Cerber [11], CryptoMix [12], Chip [13], and Locky [14], all of which are ransomware programs.
Apart from ransomware, an occasional banker trojan has also been observed in the wild. A banker trojan is a malicious program used to obtain confidential information about customers and clients using online banking and payment systems. A Zeus-based Terdot loader was identified as one of the malware samples distributed by Sundown [15].
Conclusion
Every few years some exploit kits step down and other emerge, but the certainty remains – there will always be a market for exploits. Whether a cybercrime ring or a government agency, everybody has their interest in obtaining unauthorized access to remote systems. With steganography now becoming standard, there will certainly be more interesting and innovating techniques to bypass sandboxes and security solutions alike.
Bibliography
- [1] Malware don’t need Coffee
- [2] Talos Intelligence
- [3] Malware Breakdown
- [4] We Live Security
- [5] Proofpoint
- [6] Common Vulnerability Enumerations
- [7] Arstechnica
- [8] Malware Traffic Analysis
- [9] The Guardian
- [10] Pixelprivacy
- [11] Zerophage
- [12] Malware Traffic Analysis
- [13] Malware Traffic Analysis
- [14] Malware Traffic Analysis
- [15] Malware Traffic Analysis
