Despite the loss of popularity in criminal circles, ready-made exploit kits are still relevant as an Internet threat. However, distributors of malicious exploit packs are increasingly switching to a file-free method of infection.
In the fall months, experts continued to observe the activity of exploit packs around the world and, to their surprise, even recorded the appearance of two new players on the market.Researchers also noted an alarming trend: similar attack tools began to be used to deliver disembodied malware that is more difficult to detect.
“This trend is noteworthy because it complicates the exchange of samples and, possibly, increases the percentage of infection as bypasses some protective solutions”, – wrote Jérôme Segura on the Malwarebytes blog post to ZDNet.
According to the analyst, currently three of the nine existing exploit packs:Magnitude, Underminer, and Purple Fox, have switched to a payload that does not leave any marks on the disk.
Read also: ENISA has published a threat report for 5G networks
To attract potential victims of exploit pages, attackers conduct malvertising campaigns, preferring to place malicious ads on adult sites. Among all the vulnerabilities, modern exploit packs most commonly use CVE-2018-8174 in Internet Explorer and CVE-2018-15982 in Adobe Flash Player. The older Flash exploit CVE-2018-4878 is also present in some packages, and some of them do not contain any exploits for Adobe Flash at all.
The use of Flash content on the Internet is declining, browsers have already begun to block it, and attackers, apparently, are following the general trend. They are removing malicious codes that are imprisoned for a product coming off the stage.
Therefore, RIG operators have already abandoned the usual Flash exploit. According to experts, this tool now relies solely on Internet Explorer vulnerabilities. In the fall, the venerable exploit pack was seen in the distribution of the Smoke Loader bootloader, as well as Sodinokibi, Paradise, and AnteFrigus ransomware.
After the March debut, the Spelevo exploit kit began to be very popular with the initiators of malvertising campaigns, which use the technique of masking malicious pages, known as domain shadowing. The Spelevo payload has become more diverse: in addition to the PsiXBot infostiller, it also delivers the Gootkit Trojan and the Maze ransomware.
The Fallout exploit pack is noteworthy as, unlike its counterparts, it uses obfuscation and carefully checks the environment before downloading the target malware.
“He also uses the Diffie-Hellman cryptoalgorithm as a measure of protection against offline analysis. During the reporting period, attackers used Fallout to deliver Sodinokibi, the modular Danabot Trojan, and information thieves AZORult, Kpot, and Raccoon”, – report Malwarebytes experts.
Magnitude’s behavior has not changed much. He uses the same infrastructure with redirects to fake crypto exchanges and distributes the Magniber ransomware, but downloads it with a fileless method.
The GrandSoft exploit package has moderated its activity and in the fall months was used only to spread Ramnit malware. The Underminer payload remains the same – it is an incorporeal Hidden Bee malware aimed at cryptocurrency mining. KaiXin exploit pack rarely comes into the view of experts. Its victims are mainly residents of Asian countries; in the fall, he was mobilized to distribute the Dupzom Windows bootloader.