News

Distributors of malicious exploit packs switch to file-free infection method

Despite the loss of popularity in criminal circles, ready-made exploit kits are still relevant as an Internet threat. However, distributors of malicious exploit packs are increasingly switching to a file-free method of infection.

In the fall months, experts continued to observe the activity of exploit packs around the world and, to their surprise, even recorded the appearance of two new players on the market.

Researchers also noted an alarming trend: similar attack tools began to be used to deliver disembodied malware that is more difficult to detect.

“This trend is noteworthy because it complicates the exchange of samples and, possibly, increases the percentage of infection as bypasses some protective solutions”, – wrote Jérôme Segura on the Malwarebytes blog post to ZDNet.

According to the analyst, currently three of the nine existing exploit packs:Magnitude, Underminer, and Purple Fox, have switched to a payload that does not leave any marks on the disk.

Read also: ENISA has published a threat report for 5G networks

To attract potential victims of exploit pages, attackers conduct malvertising campaigns, preferring to place malicious ads on adult sites. Among all the vulnerabilities, modern exploit packs most commonly use CVE-2018-8174 in Internet Explorer and CVE-2018-15982 in Adobe Flash Player. The older Flash exploit CVE-2018-4878 is also present in some packages, and some of them do not contain any exploits for Adobe Flash at all.

The use of Flash content on the Internet is declining, browsers have already begun to block it, and attackers, apparently, are following the general trend. They are removing malicious codes that are imprisoned for a product coming off the stage.

Therefore, RIG operators have already abandoned the usual Flash exploit. According to experts, this tool now relies solely on Internet Explorer vulnerabilities. In the fall, the venerable exploit pack was seen in the distribution of the Smoke Loader bootloader, as well as Sodinokibi, Paradise, and AnteFrigus ransomware.

After the March debut, the Spelevo exploit kit began to be very popular with the initiators of malvertising campaigns, which use the technique of masking malicious pages, known as domain shadowing. The Spelevo payload has become more diverse: in addition to the PsiXBot infostiller, it also delivers the Gootkit Trojan and the Maze ransomware.

The Fallout exploit pack is noteworthy as, unlike its counterparts, it uses obfuscation and carefully checks the environment before downloading the target malware.

“He also uses the Diffie-Hellman cryptoalgorithm as a measure of protection against offline analysis. During the reporting period, attackers used Fallout to deliver Sodinokibi, the modular Danabot Trojan, and information thieves AZORult, Kpot, and Raccoon”, – report Malwarebytes experts.

Magnitude’s behavior has not changed much. He uses the same infrastructure with redirects to fake crypto exchanges and distributes the Magniber ransomware, but downloads it with a fileless method.

The GrandSoft exploit package has moderated its activity and in the fall months was used only to spread Ramnit malware. The Underminer payload remains the same – it is an incorporeal Hidden Bee malware aimed at cryptocurrency mining. KaiXin exploit pack rarely comes into the view of experts. Its victims are mainly residents of Asian countries; in the fall, he was mobilized to distribute the Dupzom Windows bootloader.

The newbie Purple Fox, according to experts, is a framework for the hidden download of malware from the web using the fileless method. It is currently used to deliver the Kpot infostile. The second rookie, Capesand, appeared in the fall in a malvertising campaign aimed at distributing njRAT. The new exploit pack was created on the basis of a long-time open source project Demon Hunter and so far uses running exploits for IE and Adobe Flash.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button