Exploit Kit

An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash®, Java®, Microsoft Silverlight®.

A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

$exploit kit$

Stages of an exploit kit infection

Step 1: Contact

The attacker often use spammed email and social engineering lures to make people click the link of an exploit kit server. In another form, a user clicks on a malicious advertisement (malvertisement) found in a legitimate website.

Step 2: Redirect

The exploit kit generator screens for its target and then filters out victims who don’t meet certain requirements. For example, an exploit kit operator can target a specific country by filtering client IP address by geolocation.

Step 3: Exploit

The victims are then directed into the exploit kit’s landing page. The landing page determines which vulnerabilities should be used in the ensuing attack.

Step 4: Infect

After successfully exploiting a vulnerability, the attacker can now download and execute malware in the victim’s environment.

Recent attacks related to exploit kits

EXPLOIT KIT	2014	2015	2016
Angler	Delivered threats to visitors of “The Independent” after it was hacked. Delivered CryptoWall, TeslaCrypt, CryptoLocker ransomware Integrated the Pawn Storm Flash exploit Launched a massive malvertising campaign on high-profile Japanese sites Integrated Hacking Team’s Flash zero-day flaw Infected PoS systems Delivered macro through thebanking malware VAWTRAK Included in a massive malvertising campaign, like the BEDEP malware campaign, on top sites Dropped the DRIDEX malware Delivered the CryptXXX ransomware Hid traffic by using the Diffie-Hellman key exchange protocol
BlackHole	Spread Zeus P2P variant “Gameover”
Fiesta	Delivered TeslaCrypt ransomware
FlashPack	Used free ads to Spread ZeuS/ ZBOT, DOFOIL ransomware through free ads Used compromised website add-ons
HanJuan	Was the first to integrate the Adobe Flash flaw CVE-2015-0313 Delivered BEDEP malware
Hunter	Delivered Locky ransomware
Magnitude	Linked to malicious ads on Yahoo sites	Exploited a patched Adobe Flash player flaw Delivered CryptoWall ransomware	Delivered Cerber ransomware
Neutrino	Delivered CryptoWall, TeslaCrypt ransomware Delivered card-scraping Kasidet worm	Delivered Cerber, CryptXXX ransomware
Nuclear	Delivered CryptoWall, TeslaCrypt, CTB-Locker, Troldesh Exploited patched Adobe Flash player flaw Integrated Pawn Storm Flash exploit Integrated HackingTeam Flash zero-day flaw Delivered Adobe Flash exploits through a compromised ad network in the US Delivered Locky ransomware Hid traffic by using the Diffie-Hellman key exchange protocol
Rig	Delivered CryptoWall, TeslaCrypt ransomware	Delivered DRIDEX malware Spotted in malvertising campaign in Japan Used Hacking team leak 0-day flaw Delivered Ransom_GOOPIC ransomware
Sundown	Delivered card-scraping Kasidet worm	Employs use-after-free vulnerabilities in Adobe Flash Player Delivered CryptoShocker ransomware
Sweet Orange	Included in a malicious YouTube ad campaign

Vulnerabilities mostly exploited by exploit kits

Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched. We tallied all the vulnerabilities that were commonly exploited from 2010 to the first half of 2016 and found that cybercriminals often exploit the following :

CVE-2013-2551

Affected software: Microsoft Internet Explorer® 6 through 10

Description: This use-after-free vulnerability allows remote attackers to execute arbitrary code via a crafted website that triggers access to a deleted object.

Related attacks: Banking Trojan attack on South Korean banks, Malicious YouTube ads,

CVE-2015-0311

Affected software: Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows® and through 11.2.202.438 on Linux

Description: This is an Adobe Flash Player buffer overflow vulnerability that allows remote attackers to execute arbitrary code via unknown vectors.

Related attacks: Malvertising attacks, BEDEP malware attacks

CVE-2015-0359

Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux

Description: This is an Adobe Flash Player memory corruption vulnerability that allows an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Related attacks: Attack on compromised US-based ad network

CVE-2014-0515

Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux

Description: This is an Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object. It allows attackers to run some processes and run an arbitrary shellcode.

Related attacks: Malicious YouTube ads

CVE-2014-0569

Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux

Description: This is an Adobe Flash Player remote integer overflow vulnerability that allows attackers to execute arbitrary code via unspecified vectors.

History of Exploit Kits

YEAR	INCIDENT
2006	WebAttacker kit (sold for US$20) and the Mpack (sold for US$1000) were discovered in the Russian cybercriminal underground
2007	NeoSploit, Phoenix, Tornado, and Armitage exploit kits emerged
2008	Fiesta, AdPack, and FirePack exploit kits emerged
Mar 2010	Malicious ads lead to the Liberty exploit kit
Aug 2010	The first version of the Blackhole exploit kit (BHEK) was released
Sep 2012	Blackhole 2.0 was released in the wild
Jan 2013	Cool and BHEK distribute REVETON and other ransomware variants
Feb 2013	Whitehole exploit kit emerged (sold at US$200 to US$1800)
Mar 2013	Neutrino exploit kit emerged underground (rented at US$40/day or US$450/month)
Apr 2013	BHEK linked to large-scale brute force attack on Wordpress blogs
Oct 2013	Paunch, the creator of the BHEK, was arrested by Russian law enforcement
Oct 2013	Bleeding life exploit kit used in Apollo banking Trojan campaign
Jan 2014	Malicious Yahoo website ads led to Magnitude exploit kit
Jun 2014	Zeus P2P variant, Gameover, led to BHEK sites
June 2014	Compromised Japanese sites led to Angler exploit kit and VAWTRAK
Sep 2014	Nuclear exploit kit expands attack surface with Silverlight®
Oct 2014	YouTube Ads lead to Sundown exploit kit
April 2015	Fiesta exploit kit spread crypto-ransomware
Jul 2015	HackingTeam Flash zero-day flaws were integrated Into Angler and Nuclear exploit Kits
Jul 2015	The Angler exploit kit was used to find and infect PoS systems
Sep 2015	Massive malvertising campaign using Angler exploit hit 3,000 high-profile Japanese sites
Sep 2015	Angler and Nuclear exploit kit abuse Diffie-Hellman key exchange to hide traffic
Mar 2016	Massive malvertising campaign in US led to Angler exploit kit
Apr 2016	BHEK creator Paunch was sentenced to seven years in a Russian prison
Jun 2016	Angler exploit kit ceased operations after malware-related arrest

How to protect your organization from exploit kits

Promptly patch all endpoints in the system to block known threats that are integrated into exploit kits.
Deploy a solution with vulnerability protection technology to proactively shield your systems from unknown vulnerabilities based on network protocol deviations and other suspicious attack routines.

Update browsers and plugins to the latest version and use browser exploit prevention technology that can protect zero-day vulnerabilities and block malware that may try to come in via your browser.

Related terms: Exploit, zero-day exploit, cookies, hacking, vulnerability, virtual patching, SQL injection, cross-side scripting, Internet of Things

Related papers/primers :

Monitoring Vulnerabilities: Are your Servers Exploit-Proof?

Virtual Patching in Mixed Environments: How It Works To Protect You

Related infographics:

Shellshock Vulnerability: The Basics of the “Bash Bug”

Stop threats dead in their tracks/Blackhole Exploit Kit

Dodging a Compromise: A Peek at Exposure Gaps

The Internet of Everything: Layers, Protocols and Possible Attacks

Graphics: https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-evolution-of-exploit-kits.pdf