Exploit kit

Last updated

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP. [1]

Contents

Exploit kits are often sold on the black market, both as standalone kits, and as a service.

History

Some of the first exploit kits were WebAttacker and MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of computer security. [2] [3]

The Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee. [4] Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013. [5] After the arrest of the authors in late 2013, use of the kit sharply declined. [5] [6] [7]

Neutrino was first detected in 2012, [8] and was used in a number of ransomware campaigns. It exploited vulnerabilities in Adobe Reader, the Java Runtime Environment, and Adobe Flash. [9] Following a joint-operation between Cisco Talos and GoDaddy to disrupt a Neutrino malvertising campaign, [10] the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added. [11] As of April 2017, Neutrino activity ceased. [12] On June 15, 2017, F-Secure tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections. [13]

From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as Microsoft Office macros and social engineering. [14]

There are many systems that work to protect against attacks from exploit kits. These include gateway anti-virus, intrusion prevention, and anti-spyware. There are also ways for subscribers to receive these prevention systems on a continuous basis, which helps them to better defend themselves against attacks. [15]

Overview

Exploitation process

The general process of exploitation by an exploit kit is as follows:

  1. The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via spam, malvertising, or by compromising legitimate sites.
  2. The victim is redirected to the landing page of the exploit kit.
  3. The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target.
  4. The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target. [1] [16]

Features

Exploit kits employ a variety of evasion techniques to avoid detection. Some of these techniques include obfuscating the code, [17] and using fingerprinting to ensure malicious content is only delivered to likely targets. [18] [1]

Modern exploit kits include features such as web interfaces and statistics, tracking the number of visitors and victims. [1]

See also

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime is a type of crime involving a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

The Blackhole exploit kit was, as of 2012, the most prevalent web threat, where 29% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit. Its purpose is to deliver a malicious payload to a victim's computer. According to Trend Micro the majority of infections due to this exploit kit were done in a series of high volume spam runs. The kit incorporates tracking mechanisms so that people maintaining the kit know considerable information about the victims arriving at the kit's landing page. The information tracked includes the victim's country, operating system, browser and which piece of software on the victim's computer was exploited. These details are shown in the kit's user interface.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

Lazarus Group is a legal hacker group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, Western researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group is now designated as an advanced persistent threat by the collective west, due to intended nature, and wide array of methods used when conducting an operation against enemy entities; it remains a valuable, highly skilled and respected outfit by non-western entities. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

Marcin Kleczynski is the chief executive officer (CEO) and co-founder of American Internet security company, Malwarebytes. After a period working as a computer repairer and being involved in forums in the mid 2000s, Kleczynski co-founded Malwarebytes with Bruce Harrison in January 2008. By 2014, Malwarebytes had treated over 250 million computers worldwide, with a range of popular products including Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit, and more recently, advanced anti-ransomware package Endpoint Security. Kleczynski was named one of Forbes Magazine's '30 Under 30' Rising Stars of Enterprise Technology in 2015.

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack. A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.

ZeuS Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

BlackCat, also known as ALPHV and Noberus is a ransomware family written in Rust, that made its first appearance in November 2021. By extension, it's also the name of the threat actors that exploits it.

References

  1. 1 2 3 4 Cannell, Joshua (11 February 2013). "Tools of the Trade: Exploit Kits". Malwarebytes Labs. Retrieved 8 April 2022.
  2. Chen, Joseph; Li, Brooks. "Evolution of Exploit Kits" (PDF). Trend Micro . Retrieved 8 April 2022.
  3. "Markets for Cybercrime Tools and Stolen Data" (PDF). RAND Corporation. 2014.
  4. "Blackhole malware exploit kit suspect arrested". BBC News. 9 October 2013. Retrieved 8 April 2022.
  5. 1 2 Kujawa, Adam (4 December 2013). "Malwarebytes 2013 Threat Report". Malwarebytes Labs. Retrieved 8 April 2022.
  6. Zorabedian, John (9 October 2013). "Is the Blackhole exploit kit finished?". Sophos News. Retrieved 3 April 2022.
  7. Fisher, Dennis. "Blackhole and Cool Exploit Kits Nearly Extinct". threatpost.com. Retrieved 3 April 2022.
  8. "Neutrino Exploit kit: A walk-through into the exploit kit's campaigns distributing various ransomware". Cyware Labs. Retrieved 8 April 2022.
  9. "Neutrino". Malwarebytes Labs. Retrieved 8 April 2022.
  10. "Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down". threatpost.com. Retrieved 8 April 2022.
  11. "Former Major Player Neutrino Exploit Kit Has Gone Dark". Bleeping Computer . Retrieved 8 April 2022.
  12. Schwartz, Mathew (15 June 2017). "Neutrino Exploit Kit: No Signs of Life". www.bankinfosecurity.com. Retrieved 8 April 2022.
  13. F-Secure [@FSLabs] (15 June 2017). "R.I.P. Neutrino exploit kit. We'll miss you (not)" (Tweet) via Twitter.
  14. "Where Have All The Exploit Kits Gone?". threatpost.com. Retrieved 8 April 2022.
  15. Malecki, Florian (June 2013). "Defending your business from exploit kits". Computer Fraud & Security. 2013 (6): 19–20. doi:10.1016/S1361-3723(13)70056-3.
  16. "exploit kit - Definition". Trend Micro . Retrieved 8 April 2022.
  17. "Exploit Kits Improve Evasion Techniques". McAfee Blog. 12 November 2014. Retrieved 8 April 2022.
  18. "Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised". Unit42. 11 January 2016. Retrieved 8 April 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.