Exploit Kit Explosion Will Keep Victims Off Kilter

Exploit kit C&C infrastructure expanded by 75% in Q3.

Exploit kit activity is on a massive upswing as figures from a new report out today from Infoblox and IID show that the command and control infrastructure behind these kits mushroomed last quarter.

The study shows that the creation of DNS infrastructure for exploit kits jumped by 75% year-over-year in Q3. As a result, the report’s authors say that enterprises and users at large should steel themselves for a surge of activity as attackers begin to take advantage of this built-up infrastructure.

The black market engines for the cybercrime economy, exploit kits offer criminals a turnkey method of propagating malware, exploiting victim machines, and controlling these machines to carry out further attacks such as theft, distributed denial of service attacks, and lateral attacks into networks to which these compromised machines are connected. When exploit kits first coming to prominence in 2012 with the Blackhole kit’s explosion, licensing ran for as much as $10,000 per month. But as competition from numerous exploit kit developers has crowded the market, pricing has come down considerably, with prices anywhere from $30 to $500 per month, according to experts with Trustwave. They say that small investment can yield income of over $80,000 per month if criminals use their kits effectively.

The report today showed that four malware families in particular drove this increase: Angler, Magnitude, Neutrino, and Nuclear. This year, Angler in particular has stepped into the void that was left behind by Blackhole after its creators were arrested in October 2013. According to a report from Sophos this summer, Angler at that time comprised 82% of the exploit kit market.

“The Angler exploit kit is one of the most sophisticated currently used by cybercriminals and leads exploit kit DNS activity for Q3,” Infoblox researchers wrote. “Angler exploit kits are often quickly updated with the 
latest zero-day vulnerabilities in popular software and use sophisticated obfuscation techniques, making it difficult for traditional antivirus technologies to detect.”

For example, the success of Cryptowall 3.0 has risen a lot in thanks to Angler, which has been widely used to launch these ransomware attacks, the report says.

According to Infoblox, exploit activity tends to track along a predictable cycle.

“Cybercriminals usually go through a cycle of ‘planting’ and ‘harvesting’ when it comes to malicious infrastructure. During the planting phase, there is a significant rise in the number of malicious domains created for malware and exploit kits,” the report explains. “Once this phase ends, the attackers begin to harvest the extensive infrastructure they have built to launch attacks, steal data, and generally cause harm to their victims.”

If these patterns remain consistent, expect to see a ramping-up in the execution of attacks by exploit kits in the coming months as attackers take advantage of the empire building they did in Q3 to support future attacks. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights