Exploit kits were developed as a way to automatically and silently exploit vulnerabilities on victims’ machines while browsing the web. Due to their highly automated nature, exploit kits have become one of the most popular methods of mass malware or remote access tool (RAT) distribution by criminal groups, lowering the barrier to entry for attackers. Exploit kits are also effective at generating profit for malicious actors. Creators of exploit kits offer these campaigns for rent on underground criminal markets in the form of exploit kits as a service, where the price for leading kits can reach thousands of dollars per month.
Attackers utilize exploit kits with the end goal of establishing control of a device in an automated and simplified manner. Within an exploit kit, a series of events must occur for the infection to be successful. Starting with a landing page, to the execution of an exploit, and to the delivery of a payload, each stage must be successfully completed in order for the attacker to gain control of the host.
Related Video
Why Do Phishing and Other Web-Based Attacks Still Succeed?
Exploit kits start with a website that has been compromised. The compromised page will discreetly divert web traffic to another landing page. Within the landing page is code that will profile the victim’s device for any vulnerable browser-based applications. If the device is fully patched and up-to-date, the exploit kit traffic will cease. If there are any vulnerabilities, the compromised website discreetly diverts network traffic to the exploit.
The exploit uses a vulnerable application to secretly run malware on a host. Targeted applications include Adobe® Flash® Player; Java® Runtime Environment; Microsoft® Silverlight®, whose exploit is a file; and the web browser, whose exploit is sent as code within web traffic.
If and when an exploit is successful, the exploit kit sends a payload to infect the host. The payload can be a file downloader that retrieves other malware or the intended malware itself. With more sophisticated exploit kits, the payload is sent as an encrypted binary over the network, which, once on the victim’s host, is decrypted and executed. While the most common payload is ransomware, there are many others, including botnet malware, information stealers and banking Trojans.
A recent example of this is the utilization of the Neutrino exploit kit to deliver Locky ransomware in the Afraidgate campaign. Pages from the compromised site contain an injected script that redirects visitors to the Afraidgate domain. Once connected to the compromised URL, the server returns more JavaScript with an iframe, leading to a Neutrino exploit kit landing page. If the exploit of the vulnerability with JavaScript is successful, the Locky ransomware payload will be delivered, and the host system will lock out the user and give control to the attacker.
With exploit kits becoming the go-to tool for attackers of varying skill sets and objectives, it is imperative that your systems are able to protect against these attacks. This can be achieved through reducing the attack surface, blocking known malware and exploits, and quickly identifying and stopping new threats. The Palo Alto Networks Next Generation Platform proactively blocks known threats while using static and dynamic analysis techniques to identify unknown threats. Any unknown files, emails and links are analyzed in a scalable sandbox environment to determine if they are malicious or benign. If a file is determined to be malicious, protections are created automatically and delivered across all technologies within the platform for full protection, preventing exploit kits from progressing further throughout their lifecycle.
To learn more about exploit kits and protecting your organization from successful exploit kit campaigns, read the white paper Exploit Kits: Getting In by Any Means Necessary.