Computer Exploit Kits: The Channel for Malware 

Written By

Capsicum Group

What is a computer exploit? An exploit is a program that takes advantage of vulnerabilities in networks, software, or hardware. An exploit is not malware. It is the conduit to deliver malware. Exploits penetrate and assault systems with ransomware, denial of service, and other types of malware.

Exploit kits are programs used to exploit systems and applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a victim, attackers download and execute their malware.Exploit kits seek to identify vulnerabilities on a computer while it browses the web. Exploit kits don’t require victims to download a file. If you browse a compromised website, that site pulls in hidden code that attacks the user’s browser.

Events that occur for an exploit kit attack to be successful are:

1. Targeting a compromised website, which will unknowingly divert web traffic to another landing page

2. Running malware on a host, with a vulnerable application as its gateway

3. Sending a payload to infect the host when the exploit is successful 

Exploit Samples

  • Angler is a powerful exploit kit that has enabled zero-day attacks on software such as Flash, Java, and Silverlight. Angler may be responsible for compromising nearly 100,000 websites and tens of millions of users.
  • Blackhole conducts drive-by downloads. It finds a website that can be exploited and expose its visitors to attacks. Then it downloads malware (often ransomware) through browsers, Java, or Adobe Flash plug-in vulnerabilities.
  • The Flashpack exploit kit was used to distribute various pieces of malware, including the information-stealing malware Zeus, the Dofoil Trojan, and the Cryptowall ransomware. When users accessed a website that served malicious ads they were transferred by way of redirects to a Flashpack exploit kit page that served up ransomware.
  • The GrandSoft exploit kit was a mal-advertising (advertising that infects a users’ computer when they click on an advertisement) threat that redirected unsuspecting users and installed password stealing trojans, ransomware, and clipboard hijackers. GrandSoft exploit kits pushed the Ramnit banking trojan that stole victims’ login credentials, banking credentials, FTP accounts, browser history, site injections, and more.
  • The Hunter exploit kit helped launch the Brazilian banking trojan “Bancos”. Bancos used man-in-the-browser (MITB) techniques to steal banking and other financial credentials.
  • The Neutrino exploit kit was one of the most popular. Neutrino enable anyone with no coding experience required to infect PCs with malware, resulting in ‘zombie’ nodes in a botnet.
  • The Nuclear exploit kit was used by paying customers to access and customize their paid attack. Nuclear manage a rotating stock of landing pages served through malicious links, exploited web pages and malicious advertisements.
  • RIG is viewed by many as the most prolific exploit kit. RIG utilizes a three-pronged attack strategy that leverages JavaScript, Flash, or VBscript.
  • The Sundown exploit kit used a technique called steganography to hide its exploits in harmless-looking image files. Sundown used PNG images to disguise various exploits, including ones targeting Internet Explorer and Flash Player.
  • Sweet Orange targets Windows operating systems Windows 8.1 and Windows 7 along with web browsers Internet Explorer, Firefox, and Google Chrome.

What’s Does this Mean and What’s Next
While new exploits continue to be created, older exploits are leaked and become publicly available. Attackers are able to modify these older exploit kits to be more resilient to newer security detection. Kits are advertised for sale and for rent online and on the Dark Web. These malicious sites also offer support and contract updates to exploit kit purchasers. 

What should you and your firm do beyond anti-malware, software updates, and intrusion protection solutions? Regulatory compliance, third party audits, and proactive diligence are some great starting points. Capsicum provides a comprehensive suite of cybersecurity services to proactively mitigate threats before, during, and after an attack occurs. 

Our team can conduct services such as Code Review, Tabletop Exercises, Phishing Attack Simulation, Penetration Testing, and Compliance Audits. We also  look at a firm’s technology infrastructure and provide  training and incident response plans.  Proactive assessments like these creates a strong security posture and protect your digital infrastructure At Capsicum we maintain a high level of threat intelligence to help our clients maneuver through the ever-evolving cyber landscape. Send us a note to learn more about our cyber services.