Ready to Start Your Career?
June 3, 2016
Why Exploit Kits are a Fast-Growing Threat
June 3, 2016
Exploit Kits (EK's) are a serious cyber threat today, estimated to be responsible for the vast percentage of malware infections worldwide. Exploit Kits are currently distributed through both public and underground sources. They appeal to a wide range of audiences, from inexperienced hackers to black hat cybercriminals. They create a fast-growing online threat, which targets holes in the everyday software used by billions of people. Criminals embed their packages of dark codes in everything they can, from shopping to news sites. Examples of the most common Exploit Kits today are Angler and Nuclear:
- Angler Exploit Kit (EK) – This kit was first identified in 2013 and gained traction because of its characteristic of spreading ransomware, malvertising and even hacktivism campaigns. In an article published by CISCO in 2015, the Angler kit was reported as generating $60M annually from ransomware alone. (Cisco Talos Threat Intelligence)
- Nuclear Exploit Kit - This kit has constantly evolved since 2009, when it appeared for the first time. More recently, Locky Ransomware has been identified as being delivered via the Nuclear Exploit Kit. Nuclear EK has also been offered as a malware-as-a-service business model.
- Contact the victim: A victim visits a website whose server has been compromised. This process can also happen via phishing where the user receives a link via email, and is redirected to the attacker's landing page.
- Redirect to landing page: The victim is redirected through various intermediary servers. This process can take place via phishing email or malvertising. For webserver compromises, the attack typically using an iframe that's been inserted into the HTML code of the website. Because it can be potentially detected by a traditional AV, the bad guys use obfuscation techniques to avoid detection.
- Profile the victim: The victim lands at a rogue server hosting the EK. In this stage, the victim's system is scanned to detect if the web browser, plugins or OS are vulnerable to exploitation. The attacker can even profile victims, for example, in specific countries who might be more vulnerable.
- Deliver the payload: The Exploit Kit gathers information on the victim and determines the exploit to deliver. If exploit succeeds, a malicious payload (custom malware program) is downloaded to the victim’s computer and executed. Game Over!