This is the third in a series of blogs reviewing the activity of the current top exploit kits. Exploit Kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers as a way to deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for sale, distributing malware for other malicious actors.
You can read our previous roundup here.
Following the shutdown of Angler EK in June, Neutrino activity significantly increased to fill the hole it left. Neutrino became a primary EK for malvertising campaigns as well as the main distributor of CryptXXX ransomware payloads.
From late July through late September, Neutrino was frequently observed delivering CrypMIC, a recent CryptXXX variant, via the pseudoDarkleech and EITest campaigns. Other smaller campaigns were seen dropping Locky ransomware and a variety of malware payloads.
In late September, all Neutrino traffic abruptly stopped. Security researchers reported that the seller of Neutrino announced (on a closed forum) that all activity would be halted. This came shortly after a large malvertising campaign using Neutrino to deliver CrypMIC was taken down.
Figure 1: Neutrino hits, September - November 2016
Although Neutrino was reported to be shut down around September 21st, some gates and compromised sites remained active for a short time thereafter, redirecting to inactive landing pages.
Since the shutdown of the standard Neutrino, a new variant first noted by Kafeine has emerged. Neutrino-v has been a relatively low-volume EK mainly active in South Korea and Taiwan. This variant features a modified landing page and a retooled CVE-2016-4117 flash exploit.
Neutrino-v has been seen dropping Cerber payloads.
Figure 2: RIG hits, September - November 2016
Figure 3: RIG heat map
RIG has managed to achieve the position of the current top active exploit kit. As Angler and Neutrino each shut down, RIG has surged in activity to help fill the void in ransomware distribution. In particular, RIG took over distribution of CrypMIC after Neutrino ceased activity in late September.
Figure 4: RIG-v hits, October - November 2016
In mid-September, a new variant of the RIG EK (coined “RIG-v” by Kafeine) began to surface. RIG-v features a different URI scheme, modified landing page obfuscation, and RC4 encryption.
Figure 5: RIG-v landing page request
Figure 6: RIG-v landing page
RIG-v has primarily been observed dropping Cerber and CryptFile2 ransomware payloads.
Another RIG variant, RIG-E, was also observed, as it was launched quietly in August. This variant uses the standard RIG URL scheme, and in mid November, switched to the RC4-encrypted landing page introduced by RIG-v. RIG-E is mainly delivered by the EITest campaign.
Malware Traffic Analysis provided a recent data dump of standard RIG, RIG-v, and RIG-E chains
KaiXin has had relatively low activity for the last couple years, though we have observed a recent increase in activity and changes in its chain.
Figure 7: Injected KaiXin script
In our recently observed samples, KaiXin masquerades as a CNZZ statistics tracking script and uses URL encoding to trivially obfuscate the injected script.
Figure 8: Deobfuscated KaiXin script
The KaiXin injected script prevents the malicious iFrame from being delivered if the request user-agent is from an iOS or Android device. It also saves a dictionary in local browser storage with the current date and number of times the script has been executed to prevent the exploit chain from executing more than once per day and more than five times total.
Figure 9: Recent KaiXin SWF delivery page
The initial KaiXin landing page, which has no obfuscation, contains logic for handling different browsers (including QQ Browser). Internet Explorer (IE) browsers (version 10 or 11) are redirected to a SWF delivery page. For IE browsers older than version 10, the victim is redirected to an obfuscated exploit for CVE-2016-0189. CVE-2016-0189 had also been deployed in the Sundown EK and Neutrino EK in July, immediately after proof-of-concept code became available.
KaiXin is currently delivering adware packages, such as software from Baidu.
Sundown, still a relatively new EK, is gradually becoming more active, particularly with malvertising campaigns. In September, we observed a malvertising campaign in which Sundown was served alongside RIG.
More information on this campaign can be found in our September blog post on malvertising chains.
In mid-October, we also began to observe some variations on typical Sundown exploit chains.
Exploit kits pose a significant threat to users during simple web browsing. In the case of ransomware, infection could result in the inability of a user to access his or her files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.
To help avoid infections such as those described in this report, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Zscaler’s ThreatLabZ has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using Zscaler’s Internet security platform.