This is the eighth in a series of blogs by the Zscaler ThreatLabZ research team collecting and analyzing the recent activity of the top exploit kits. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. What follows are highlights from the EK activity we observed during the last quarter.
RIG EK has been the most active exploit kit, but its activity has decreased in comparison with previous quarters. We can see minimal RIG EK activity in the month of January, but it picked up again in the second half of April. We are seeing different payloads delivered by RIG this quarter, and they varied from ransomware and banking Trojans to crypto mining software—as opposed to its more typical payload of Cerber ransomware. Below we can see the hits for RIG EK activity.
Fig 1: RIG EK Hits from 1st Jan 2018 to 30th April 2018.
The geographical distribution of the hits is shown below.
Fig 2: RIG EK Heat Map showing infected regions.
Most infection attempts are seen in the United States, Spain, and Switzerland this quarter, while last quarter, activity was only observed in the United States and Russia.
The most common RIG EK redirects were observed from illegal streaming websites, which provide users with free, live sports feeds. The malvertising on these websites fingerprints a user's machine, as per the attacker's configuration on the Traffic Distribution Systems; the most recently active one is Black TDS. An example of such a streaming domain is nba-stream[.]online, which sends users to malvertising domains like www.ligtv-izle[.]net/ads/ad2.html. The RIG EK cycle that follows is shown below.
Fig 3: RIG EK Infection cycle.
There were common patterns observed in the RIG EK landing page URLs, which would change on weekly basis, but the landing page content has remained mostly unchanged.
Fig 4: RIG EK landing page URLs with common parameters.
The obfuscated RIG EK landing page is shown below.
Fig 5: RIG EK Obfuscated landing page.
One significant change is the inclusion of the CVE-2018-4878 Adobe Flash vulnerability, which affects Adobe Flash Version 220.127.116.11 and earlier versions.
When we open the downloaded Flash file using a decompiler, we found the section of the pointer to the listener object, which is responsible for this vulnerability. This is highlighted in the image below.
Fig 6: RIG EK Flash with CVE-2018-4878
Fig 7: RIG EK Flash with CVE-2018-4878
We saw the RIG EK downloading GandCrab ransomware instead of the usual Cerber ransomware. Other payloads we saw included cryptocurrency miners, along with Trojans like Bunitu and Ramnit.
The GrandSoft EK activity hits are shown below.
Fig 8: Grandsoft EK Hits from 1st Jan 2018 to 30th April 2018
The geographical distribution of the hits can be seen below.
Fig 9: Grandsoft EK Heat map showing infected regions.
GrandSoft EK redirects were seen from malvertising chains and the hits are distributed globally. The EK does not seem to be targeting any specific geographic region.
The GrandSoft EK cycle can be seen below.
Fig 10: Grandsoft EK cycle
Fig 12: Grandsoft EK Landing page redirect
The landing page snippet with the CVE-2016-0189 code is shown below.
Fig 13: Grandsoft EK Landing page with CVE-2016-0189
The payload seen in this cycle was GandCrab ransomware; this can be seen in the temp directory of the infected machine.
Fig 14: Grandsoft EK downloads GandCrab ransomware to the victim machine.
Magnitude EK activity was observed this quarter, but it was targeted in South Korea. The EKs that were showing reduced activity in the last quarter, such as Terror EK, Disdain EK, and Kaixin EK, are no longer showing any activity.
Exploit kits are effective, as they can infect a victim's machine during web browsing without the user's knowledge. The attackers monetize the successful infections by collecting a ransom for retrieving data encrypted by ransomware, mining cryptocurrencies using the victim's system resources, or installing banking Trojans to steal a victim's identity. Attackers frequently change their techniques by obfuscating the source code or integrating new exploit code into their EK, and security researchers analyze and block the new threats by tracking changes in the EK behavior.
To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping the browser plugins and web browsers up to date with latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler cloud security platform.