This is the seventh in a series of blogs collecting the recent activity of the current top exploit kits. Exploit kits are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. Authors of exploit kits offer their services for sale, distributing malware for other malicious actors.
Find our previous roundup here.
RIG EK has maintained its position as the most active exploit kit, but overall volume of RIG traffic was down over the fall quarter. In November, RIG activity declined significantly, and this trend continues throughout December. RIG continues to install ransomware, banking trojans, and cryptocurrency mining software on vulnerable systems.
Figure 1: RIG hits, September 2017 – December 2017
Figure 2: RIG Heat Map
Though still consistently active, the volume of RIG activity dropped significantly in November 2017. Global distribution of RIG activity has also changed since our last roundup. For the last quarter, virtually all observed RIG traffic has been within the United States, Russia, and Japan. This was unexpected, as previous analyses had shown an appreciable amount of activity in Europe, the rest of the Americas, and Southeast Asia.
Among the number of concurrent RIG campaigns this year, the “Seamless” campaign has garnered the most interest. In our Summer 2017 EK Roundup, we covered some of the details of the Seamless campaign, which began early in 2017. This campaign is primarily responsible for infecting victims with the Ramnit banking infostealer.
While most of the changes to RIG EK this year have been relatively insignificant, such as the constant variation of URI variable names in transactions with the exploit kit landing page, a recent usage of the “Punycode” URL encoding method caught the interest of many researchers. Punycode is a method of encoding Unicode characters within normal ASCII URL strings, which received a significant amount of attention this year for being used in numerous phishing attacks. Attackers use Punycode to display URLs in the victim’s browser that are visually similar to trusted websites in what is called an “IDN homograph attack”. Punycode was previously used by the Blackhole exploit kit in 2013 as part of an email spam campaign.
Figure 3: Observed RIG infection attempts using Punycode URLs
This campaign uses the Punycode URL xn--80af6acah5f[.]xn--p1acf, which encodes to the unicode URL рогаоыо[.]рус displaying Cyrillic characters. Other variations of this URL have been observed, including one detailed by Jérôme Segura.
Cryptocurrency mining payloads delivered by exploit kits are becoming increasingly common. These coin-mining packages typically mine alternative cryptocurrencies such as Monero, which have a greater emphasis on privacy and anonymity than Bitcoin. This aids the malicious actors profiting from the cryptocurrency mining in evading tracking by law enforcement agencies.
Earlier this fall we observed a one-off RIG campaign that used a different malicious redirect structure than the common RIG campaigns to deliver the exploit kit. This campaign infected victims with the Dofoil Trojan, which then installed the malicious BitCoinMiner cryptocurrency mining tool.
Figure 4: RIG redirect
Figure 5: RIG cycle
After the coin mining software is installed, it attempts to connect to 21072206[.]ru to begin mining.
Terror EK is a more recent exploit kit discovered in late 2016. This kit was formed as an amalgamation of several active exploit kits, particularly using code and exploits taken directly from Sundown EK. Initially, Terror was relatively unsophisticated and was primarily used to infect victims with cryptocurrency mining packages, but has since undergone a number of upgrades.
Terror has been relatively active over the last quarter. Since our last roundup, we have observed several changes in the EK infrastructure and fingerprinting mechanisms.
The majority of detected Terror EK cycles were seen delivered via malvertising campaigns using the Propeller Ads network. Below are the few of domains that were seen redirecting users to the terror EK landing pages:
The users were being redirected from few known pirate video streaming and online gaming sites seen below:
Few of the changes that we saw as compared to start of the year is the use of encoding in the flash exploits used by the exploit kit. We had made detailed analysis of changes in the our previous blog on Terror EK
The previous EK Cycle can be seen below,
Figure 6: Terror EK cycle
Terror EK has begun using HTTPS instead of HTTP on its landing pages.
Figure 7: HTTPS connection to a Terror EK Landing Page
Heavy fingerprinting techniques using ad redirects to evade detections by only redirecting the users to the landing page when they meet specific target conditions. If the targets do not meet requirement then they are commonly redirected to fake Flash Player downloads, free online gaming sites or shopping portals.
The most recent Terror campaigns were seen using the ever-popular CVE-2016-0189 Internet Explorer exploit.
Magnitude EK is one of the longest-running exploit kits, first launched in 2013. This exploit kit has seen much lower volume activity in recent years, compared to RIG, Angler, and Neutrino (when the latter two were active). Significant changes in Magnitude campaigns are infrequent.
In our last roundup, we noted that Magnitude EK was primarily targeting Southeast Asian countries with malvertising campaigns. This trend continued through the fall quarter, with an increased presence of Magnitude activity specifically targeting South Korea.
Disdain EK is a brand new exploit kit that first appeared in early August. It shares code with Terror EK and uses the same URL pattern, but has many other distinct features. Disdain is currently operating at very low activity, but has been observed distributing the Kasidet infostealer. Malwarebytes has detailed Disdain’s use in alongside a “Fake Flash Player” social engineering attack.
Exploit kits pose a significant threat to users during simple web browsing. In the case of ransomware infections, the result could be the inability of a user to access his or her files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.
To help avoid infections such as these, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Zscaler’s ThreatLabZ has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using Zscaler’s Internet security platform.