By: Derek Gooley

Top Exploit Kit Activity Roundup - Fall 2016

Exploit Kit


This is the third in a series of blogs reviewing the activity of the current top exploit kits. Exploit Kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers as a way to deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for sale, distributing malware for other malicious actors.

Since our last roundup, there have been significant changes in several EKs. Neutrino, a very active EK during the summer, went offline in late September. RIG EK activity has increased, especially with the shutdown of Neutrino. New variants of Neutrino and RIG appeared in October, with modifications to their URL patterns and JavaScript source.

You can read our previous roundup here.

Neutrino Exploit Kit

Following the shutdown of Angler EK in June, Neutrino activity significantly increased to fill the hole it left. Neutrino became a primary EK for malvertising campaigns as well as the main distributor of CryptXXX ransomware payloads.

From late July through late September, Neutrino was frequently observed delivering CrypMIC, a recent CryptXXX variant, via the pseudoDarkleech and EITest campaigns. Other smaller campaigns were seen dropping Locky ransomware and a variety of malware payloads.

In late September, all Neutrino traffic abruptly stopped. Security researchers reported that the seller of Neutrino announced (on a closed forum) that all activity would be halted. This came shortly after a large malvertising campaign using Neutrino to deliver CrypMIC was taken down.

Figure 1: Neutrino hits, September - November 2016

Although Neutrino was reported to be shut down around September 21st, some gates and compromised sites remained active for a short time thereafter, redirecting to inactive landing pages.


Since the shutdown of the standard Neutrino, a new variant first noted by Kafeine has emerged. Neutrino-v has been a relatively low-volume EK mainly active in South Korea and Taiwan. This variant features a modified landing page and a retooled CVE-2016-4117 flash exploit.

Neutrino-v has been seen dropping Cerber payloads.

RIG Exploit Kit

Figure 2: RIG hits, September - November 2016

Figure 3: RIG heat map

RIG has managed to achieve the position of the current top active exploit kit. As Angler and Neutrino each shut down, RIG has surged in activity to help fill the void in ransomware distribution. In particular, RIG took over distribution of CrypMIC after Neutrino ceased activity in late September.


Figure 4: RIG-v hits, October - November 2016

In mid-September, a new variant of the RIG EK (coined “RIG-v” by Kafeine) began to surface. RIG-v features a different URI scheme, modified landing page obfuscation, and RC4 encryption.

Figure 5: RIG-v landing page request

Figure 6: RIG-v landing page

RIG-v has primarily been observed dropping Cerber and CryptFile2 ransomware payloads.


Another RIG variant, RIG-E, was also observed, as it was launched quietly in August. This variant uses the standard RIG URL scheme, and in mid November, switched to the RC4-encrypted landing page introduced by RIG-v. RIG-E is mainly delivered by the EITest campaign.

Malware Traffic Analysis provided a recent data dump of standard RIG, RIG-v, and RIG-E chains

KaiXin Exploit Kit

KaiXin is a smaller exploit kit, first identified in 2012. KaiXin typically targets Asian sites, and has been delivered via banner ads and JavaScript injection on compromised sites. SANS published an overview of a KaiXin EK malvertising session earlier this year.

KaiXin has had relatively low activity for the last couple years, though we have observed a recent increase in activity and changes in its chain.

Figure 7: Injected KaiXin script

In our recently observed samples, KaiXin masquerades as a CNZZ statistics tracking script and uses URL encoding to trivially obfuscate the injected script.

Figure 8: Deobfuscated KaiXin script

The KaiXin injected script prevents the malicious iFrame from being delivered if the request user-agent is from an iOS or Android device. It also saves a dictionary in local browser storage with the current date and number of times the script has been executed to prevent the exploit chain from executing more than once per day and more than five times total.

Figure 9: Recent KaiXin SWF delivery page

The initial KaiXin landing page, which has no obfuscation, contains logic for handling different browsers (including QQ Browser). Internet Explorer (IE) browsers (version 10 or 11) are redirected to a SWF delivery page. For IE browsers older than version 10, the victim is redirected to an obfuscated exploit for CVE-2016-0189. CVE-2016-0189 had also been deployed in the Sundown EK and Neutrino EK in July, immediately after proof-of-concept code became available.

KaiXin is currently delivering adware packages, such as software from Baidu.

Other Exploit Kits

Sundown Exploit Kit

Sundown, still a relatively new EK, is gradually becoming more active, particularly with malvertising campaigns. In September, we observed a malvertising campaign in which Sundown was served alongside RIG.

Figure 10:

More information on this campaign can be found in our September blog post on malvertising chains.

In mid-October, we also began to observe some variations on typical Sundown exploit chains.

Angler Exploit Kit

Still inactive.

Nuclear Exploit Kit

Still inactive.


Exploit kits pose a significant threat to users during simple web browsing. In the case of ransomware, infection could result in the inability of a user to access his or her files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.

To help avoid infections such as those described in this report, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Zscaler’s ThreatLabZ has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using Zscaler’s Internet security platform.

Learn more about Zscaler.