In past years, we’re seen a massive increase in the use of exploit kits. No website is too great to withstand the many powerful kits, with the Mail Online famously falling victim to a malvertising campaign that left millions of readers exposed to Cryptowall ransomware.
But perhaps the most concerning aspect of exploit kits is their ease of use. The main purpose of these ‘toolkits for hire’ is to lower the technical bar for delivering malware campaigns, by removing the need for an attacker to know how to create or discharge the exploit itself in order to infect organisations’ systems. Indeed, many kits now even come with a user-friendly interface, enabling criminals to manage and monitor their malware through the campaign.
Payloads from exploit kits have previously included all sort of malware, from advertising click-fraud malware, banking malware to ransomware, as these attacks vary according to the user’s specification. With the ease of tailoring an attack and the user-friendly nature, it is unsurprising that exploit kits have become a choice weapon for many, less technically-skilled, cybercriminals.
Core components of user-friendly malware
Generally, an exploit kit’s infrastructure is comprised of three components. The back end, which contains the control panel and payloads; the middle layer, which hosts the exploit and drills a tunnel into the back end server; and finally the proxy layer, which delivers the exploit directly to its victim.
The infection / exploitation chain also remains largely similar for different exploit kits:
1. Victim visits the website, which is either fully or partially under control of the attacker.
2. Victim is then redirected through numerous intermediary servers.
3. Unknowingly, the victim lands on the server hosting the exploit kit.
4. The exploit kit then tries to install itself, through exploiting vulnerable software found on the victim’s server.
5. If it achieves installation, the malicious payload is delivered.
Where the kits largely differ is in the types of vulnerabilities exploited to infect visitors and the different tricks used to circumvent antivirus defences.
The rise in mobile as a target
While traditionally exploit kits have predominantly been used to target computers, mobile devices are becoming an increasingly popular target due to the vast majority of people who use them for browsing the web, email, social media and even banking. And with most users unaware of the best practice for adequately securing their mobile device, they are essentially a much easier target.
It is expected that attackers will gradually shift to delivering mobile malware using web pages on a mobile browser. This is essentially the same approach to most infections on computers.
Whether successfully delivered to a computer or mobile device, the payload can now operate behind the company or individual’s firewalls. From this point, the malware can be spread across other devices and connect with its command-and-control (C&C) server using the Internet, which then enables it to exfiltrate data or download more malicious software. This communication between the C&C server and the infected device often requires the target’s DNS.
Know your enemy
While not all exploits are the same, there are a couple that you are more likely to come across. Indeed, the Infoblox DNS Threat Index found that Angler accounted for 56 percent of newly observed exploit kit activity in Q4 2015, while RIG accounted for 20 percent. So what are they and what do they do?
The Angler exploit kit is one of the most sophisticated currently used by cybercriminals. Notorious for having pioneered the “domain shadowing” technique, Angler is able to circumvent reputation-based blocking strategies and infiltrate malicious URLs into legitimate ad networks. This then redirects website visitors who click on the infected ad’s links to other sites that insert malware.
These kits tend to be updated with the latest zero-day vulnerabilities uncovered in popular software, such as Adobe Flash or WordPress. Coupled with its use of sophisticated obfuscation techniques, Angler is particularly difficult for traditional antivirus solutions to detect.
With its constant evolution, organisations must invest in protection technologies that not only block one component of the Angler exploit, but are also able identify and disrupt malicious activity over the entire kill chain.
While an older design, the RIG exploit kit has made a recent comeback. This highlights how past threats can reappear under a new guise, as the kits are updated. Infoblox’s analysis of RIG activity during 2015 found that it began to use domain shadowing techniques, like those spearheaded by Angler in order to circumvent reputation-based blocking strategies.
While often deployed in malvertising campaigns, Heimdal Security also recently discovered how RIG is also being deployed for Google SEO poisoning, where a search engine’s optimisation tactics are compromised to promote malicious websites.
With their different guises and techniques, exploit kits are providing criminals lacking in technical skills the opportunity to take advantage of the online world of crime. To protect themselves from this ever-increasing threat, organisations must plug into a reliable threat intelligence source, then apply that intelligence to break malware communications through protocols within their own infrastructure, such as DNS.