This is the sixth installment in a series of blogs highlighting the recent activity of the top exploit kits. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. EK authors offer their services for sale, distributing malware for other malicious actors.
In this blog, we will be looking at the most active EKs, including RIG, Magnitude, Terror, and the newest arrival – Disdain.
You can read our roundup from spring 2017 here.
RIG Exploit Kit
RIG remains the most consistently active exploit kit, distributed over several simultaneous campaigns to install ransomware, banking Trojans, and cryptocurrency mining software on vulnerable systems. In the latter part of spring, we saw a small decline in RIG activity; however, since then, we observed generally steady RIG traffic, with the exception of small spikes in June and August.
Figure 1: RIG hits, June 2017 – August 2017
Figure 2: RIG heat map, June 2017 – August 2017
The distribution of RIG hosts remains somewhat similar to previous reports, although the activity we observed in Southeast Asia and South America earlier this year was absent this quarter.
In addition, the last three months show an increase in the RIG presence in India, as well as a lack of activity in eastern Europe and Russia, a region that usually serves a significant portion of RIG hosts.
For a long time, the structure of most RIG campaigns was mostly static and unchanging, making it trivial for researchers to track and guard against the exploit kit. However, over the last year, many modifications were introduced to the EK, along with frequent changes to its URI scheme.
Figure 3: RIG EK cycle
This instance of a currently active RIG campaign (part of a newer iteration of the “Seamless” campaign that began earlier this year) shows an example of a recent URI structure for the EK. The campaign uses the URI parameters “warm”, “sea”, and “gifts” in transactions with the landing page host, as well the pattern “/signu[1-4].php” for its redirection page.
Figure 4: RIG EK redirect page
Recent RIG campaigns have been observed dropping Cerber, GlobeImposter, and Princess ransomware families. These campaigns have been using the CVE-2015-8651 and CVE-2015-5122 Adobe Flash exploits, as well as the scripting engine memory corruption vulnerability exploit CVE-2016-0189.
Magnitude Exploit Kit
The Magnitude EK is one of the longest-running exploit kits, first launched in 2013. This exploit kit has seen much lower volume activity in recent years, compared to RIG, Angler, and Neutrino (when the latter two were active).
Magnitude has primarily targeted Southeast Asian countries through malvertising campaigns, such as in the following recently observed cycle.
Figure 5: Magnitude EK cycle
This campaign has several marked differences from campaigns we described in our previous roundup. This activity shows the campaign managers utilizing the RemarketingPixel advertising network to derive statistics of the infection attempts. The tracking network provides the attackers insight into demographics and the effectiveness of their campaign.
The landing pages in this campaign use various fake file extensions for the scripts and malware payloads, such as .bmp, .sct, etc. This Magnitude campaign was also missing the Adobe Flash fingerprinting scripts we saw in the spring campaigns.
The common CVE-2016-0189 exploit was used to infect vulnerable systems with Cerber ransomware.
Below is an example of a recent Magnitude campaign landing page:
Figure 6: Magnitude EK redirect script
This redirects to a fingerprinting script:
Figure 7: Magnitude EK Kaspersky fingerprinting script
This script attempts to check for the creation of an ActiveX object for the Kaspersky Virtual Keyboard plugin. If the check fails, the exploit chain continues and the victim is redirected to a page that serves the CVE-2016-0189 exploit and infected with Cerber ransomware.
Figure 8: System infected with Cerber
Terror Exploit Kit
The Terror EK is a newer exploit kit we began tracking in late 2016. This kit was formed as an amalgamation of several active exploit kits, particularly using code and exploits taken directly from the Sundown EK. Initially, Terror was relatively unsophisticated and was primarily used to drop ccminer, a cryptocurrency mining package, on exploited systems.
Over the last two quarters, Terror has undergone changes. This spring, Terror introduced a number of host and version fingerprinting scripts and began dropping various malware payloads (Tofsee, Andromeda/Gamarue, Smoke Loader) in addition to ccminer. More recently, Terror introduced the use of CVE-2017-0059, an Internet Explorer exploit affecting versions 9 through 11, and CVE-2017-0037, an exploit affecting Internet Explorer 10 and 11, and Microsoft Edge,
Terror activity dropped off significantly during the spring of 2017, but the exploit kit has remained active.
The code for exploits CVE-2017-0059 and CVE-2017-0037 can be easily identified in Terror EK by their similarity to the proof-of-concept code posted to Google Project Zero’s bug tracker:
Figure 9: CVE-2017-0059 POC
Figure 10: CVE-2017-0059 in Terror EK
Figure 11: CVE-2017-0037 POC
Figure 12: CVE 2017-0037 in Terror EK
Disdain Exploit Kit
The Disdain EK is a brand-new exploit kit that first appeared in early August. It shares code with Terror EK and uses the same URL pattern, but has many distinct features.
The Disdain campaign we’ve observed is delivered via a gate that is also distributing the RIG EK. Many of the gate domains in this campaign use the format “campngay##” with a two-character top-level domain. The referrers to the malicious gates were from malvertising networks and unauthorized movie streaming sites.
Figure 13: Hits for “campngay” campaign, August 2017
Disdain has been observed using the exploits CVE-2013-2551, CVE-2015-2419, CVE2016-0189, and CVE-2017-0059.
Trend Micro has published an analysis of Disdain EK here.
Exploit kits pose a significant threat to users during simple web browsing. In the case of ransomware infections, the result could be the inability of a user to access their files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.
To help avoid infections such as these, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Zscaler’s ThreatLabZ has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler’s Internet security platform.