There have been interesting developments with exploit kits in the past few months to say the least, with the disappearance of some and the birth of others. However, one thing we noticed is that the new kits aren’t new per se, but rather variants or VIP versions of their predecessors.
Kahu Security recently published a beautiful visual (Wild Wild West – 11/2016) showing past and present crime kits. In this post we take a look at traffic captures collected from our own honeypots and via our telemetry, knowing that this is truly a snapshot at a particular time, as EKs keep on evolving.
RIG-v is the VIP version of the regular RIG EK which started to appear in early September and showed Neutrino-like patterns. RIG-v is distributed via the Afraidgate and pseudoDarkleech campaigns as regularly exposed by Brad on Malware-Traffic-Analysis.net.
RIG-v introduced new URL patterns (more random) which could be used to differentiate it from regular RIG, although those were eventually added in some instances of the classic RIG as well (can be seen here). At present, the content of RIG-v’s landing page is very distinct from its older brother with the use of unicode characters.
RIG is the underdog that took over from Neutrino when the latter briefly succeeded to Angler from June to September. For the most part in the past couple months, RIG has dominated the exploit kit landscape thanks to major distribution campaigns from compromised websites and malvertising. Lately, it has taken a step back but remains pushed in the EITest campaign (as seen here).
Sundown EK is usually quite discrete and mainly focuses on some particular geolocations, so no doubt the feeling one may experience when catching it in the wild. This EK has a habit of stealing code from others and regularly makes tweaks to its URL structure and flow. It seems also that the developpers (unsurprisingly) are taking notes from researchers and tweets pointing out some of its failures.
Bizarro Sundown EK
Bizarro Sundown is actually a new exploit kit distributed via the WordsJS campaign but it would be easy to mistake it for Sundown since they both share many of the same features. We only caught a few instances of Bizarro Sundown perhaps because it is also very geo targeted and has more limited distribution.
Magnitude was once more prominent and used in various malvertising attacks. Lately it seems to be keeping a lower profile with strong geotargeting while still dropping its usual Cerber ransomware payload. Its gates are interesting to study, in particular for their use of fingerprinting techniques.
Neutrino-v is a variant of the regular Neutrino (the latter disappearing in late September) that we caught in limited malvertising attacks from adult websites. Its gate (not shown here) is very interesting due to improved obfuscation (anti debuggers) and fingerprinting code.
All of these exploit kits are detected and blocked by Malwarebytes Anti-Exploit.
Many thanks to @hasherezade for payload identification! I would also like to point out the positive work of researchers in the community who regularly share traffic captures (@malware_traffic, @BroadAnalysis, @Oddly_Normal) that have been helpful for so many to practice with and get a better understanding of exploit kits. Also, thanks to @criznash for the informal chats on EKs.