Exploit Kit

An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash®, Java®, Microsoft Silverlight®.

A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

exploit kit

Stages of an exploit kit infection

 

Step 1: Contact

The attacker often use spammed email and social engineering lures to make people click the link of an exploit kit server. In another form, a user clicks on a malicious advertisement (malvertisement) found in a legitimate website.

 

Step 2: Redirect

The exploit kit generator screens for its target and then filters out victims who don’t meet certain requirements. For example, an exploit kit operator can target a specific country by filtering client IP address by geolocation.

 

Step 3: Exploit

The victims are then directed into the exploit kit’s landing page. The landing page determines which vulnerabilities should be used in the ensuing attack.

 

Step 4: Infect

After successfully exploiting a vulnerability, the attacker can now download and execute malware in the victim’s environment.

Recent attacks related to exploit kits

EXPLOIT KIT

2014

2015

2016

Angler

  • Delivered threats to visitors of “The Independent” after it was hacked.
  • Delivered CryptoWall, TeslaCrypt, CryptoLocker ransomware
  • Integrated the Pawn Storm Flash exploit
  • Launched a massive malvertising campaign on high-profile Japanese sites
  • Integrated Hacking Team’s Flash zero-day flaw
  • Infected PoS systems
  • Delivered macro through thebanking malware VAWTRAK
  • Included in a massive malvertising campaign, like the BEDEP malware campaign, on top sites
  • Dropped the DRIDEX malware
  • Delivered the CryptXXX ransomware
  • Hid traffic by using the Diffie-Hellman key exchange protocol
  

BlackHole

  • Spread Zeus P2P variant “Gameover”
  

Fiesta

  • Delivered TeslaCrypt ransomware
  

FlashPack

  • Used free ads to Spread ZeuS/ ZBOT, DOFOIL ransomware through free ads
  • Used compromised website add-ons
  

HanJuan

  • Was the first to integrate the Adobe Flash flaw CVE-2015-0313
  • Delivered BEDEP malware
  

Hunter

Delivered Locky ransomware

  

Magnitude

Linked to malicious ads on Yahoo sites

  • Exploited a patched Adobe Flash player flaw
  • Delivered CryptoWall ransomware

Delivered Cerber ransomware

Neutrino

  • Delivered CryptoWall, TeslaCrypt ransomware
  • Delivered card-scraping Kasidet worm

Delivered Cerber, CryptXXX ransomware

 

Nuclear

  • Delivered CryptoWall, TeslaCrypt, CTB-Locker, Troldesh
  • Exploited patched Adobe Flash player flaw
  • Integrated Pawn Storm Flash exploit
  • Integrated HackingTeam Flash zero-day flaw
  • Delivered Adobe Flash exploits through a compromised ad network in the US
  • Delivered Locky ransomware
  • Hid traffic by using the Diffie-Hellman key exchange protocol
  

Rig

Delivered CryptoWall, TeslaCrypt ransomware

  • Delivered DRIDEX malware
  • Spotted in malvertising campaign in Japan
  • Used Hacking team leak 0-day flaw
  • Delivered Ransom_GOOPIC ransomware
 

Sundown

Delivered card-scraping Kasidet worm

  • Employs use-after-free vulnerabilities in Adobe Flash Player
  • Delivered CryptoShocker ransomware
 

Sweet Orange

Included in a malicious YouTube ad campaign

  

 

Vulnerabilities mostly exploited by exploit kits

 

Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched. We tallied all the vulnerabilities that were commonly exploited from 2010 to the first half of 2016 and found that cybercriminals often exploit the following :

CVE-2013-2551

Affected software: Microsoft Internet Explorer® 6 through 10

Description: This use-after-free vulnerability allows remote attackers to execute arbitrary code via a crafted website that triggers access to a deleted object.

Related attacks: Banking Trojan attack on South Korean banks, Malicious YouTube ads,

CVE-2015-0311

Affected software: Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows® and through 11.2.202.438 on Linux

Description: This is an Adobe Flash Player buffer overflow vulnerability that allows remote attackers to execute arbitrary code via unknown vectors.

Related attacks: Malvertising attacks, BEDEP malware attacks

 

CVE-2015-0359

Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux

Description: This is an Adobe Flash Player memory corruption vulnerability that allows an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Related attacks: Attack on compromised US-based ad network

 

CVE-2014-0515

Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux

Description: This is an Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object. It allows attackers to run some processes and run an arbitrary shellcode.

Related attacks: Malicious YouTube ads

 

CVE-2014-0569

Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux

Description: This is an Adobe Flash Player remote integer overflow vulnerability that allows attackers to execute arbitrary code via unspecified vectors.

 

History of Exploit Kits

YEAR

INCIDENT

2006

WebAttacker kit (sold for US$20) and the Mpack (sold for US$1000) were discovered in the Russian cybercriminal underground

2007

NeoSploit, Phoenix, Tornado, and Armitage exploit kits emerged

2008

Fiesta, AdPack, and FirePack exploit kits emerged

Mar 2010

Malicious ads lead to the Liberty exploit kit

Aug 2010

The first version of the Blackhole exploit kit (BHEK) was released

Sep 2012

Blackhole 2.0 was released in the wild

Jan 2013

Cool and BHEK distribute REVETON and other ransomware variants

Feb 2013

Whitehole exploit kit emerged (sold at US$200 to US$1800)

Mar 2013

Neutrino exploit kit emerged underground (rented at US$40/day or US$450/month)

Apr 2013

BHEK linked to large-scale brute force attack on Wordpress blogs

Oct 2013

Paunch, the creator of the BHEK, was arrested by Russian law enforcement

Oct 2013

Bleeding life exploit kit used in Apollo banking Trojan campaign

Jan 2014

Malicious Yahoo website ads led to Magnitude exploit kit

Jun 2014

Zeus P2P variant, Gameover, led to BHEK sites

June 2014

Compromised Japanese sites led to Angler exploit kit and VAWTRAK

Sep 2014

Nuclear exploit kit expands attack surface with Silverlight®

Oct 2014

YouTube Ads lead to Sundown exploit kit

April 2015

Fiesta exploit kit spread crypto-ransomware

Jul 2015

HackingTeam Flash zero-day flaws were integrated Into Angler and Nuclear exploit Kits

Jul 2015

The Angler exploit kit was used to find and infect PoS systems

Sep 2015

Massive malvertising campaign using Angler exploit hit 3,000 high-profile Japanese sites

Sep 2015

Angler and Nuclear exploit kit abuse Diffie-Hellman key exchange to hide traffic

Mar 2016

Massive malvertising campaign in US led to Angler exploit kit

Apr 2016

BHEK creator Paunch was sentenced to seven years in a Russian prison

Jun 2016

Angler exploit kit ceased operations after malware-related arrest

 

How to protect your organization from exploit kits

  • Promptly patch all endpoints in the system to block known threats that are integrated into exploit kits.
  • Deploy a solution with vulnerability protection technology to proactively shield your systems from unknown vulnerabilities based on network protocol deviations and other suspicious attack routines.

Update browsers and plugins to the latest version and use browser exploit prevention technology that can protect zero-day vulnerabilities and block malware that may try to come in via your browser.

Related terms:
Exploit, zero-day exploit, cookies, hacking, vulnerability, virtual patching, SQL injection, cross-side scripting, Internet of Things

Related papers/primers :

Monitoring Vulnerabilities: Are your Servers Exploit-Proof?

Virtual Patching in Mixed Environments: How It Works To Protect You

Related infographics:

Shellshock Vulnerability: The Basics of the “Bash Bug”

Stop threats dead in their tracks/Blackhole Exploit Kit

Dodging a Compromise: A Peek at Exposure Gaps

The Internet of Everything: Layers, Protocols and Possible Attacks

Graphics: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf