New super-stealthy exploit kits are becoming a rising threat, especially in browser-based drive-by attacks, according to new research.
Exploit kits, or EKs, are ready-built applications created by cyber-criminals and rented or sold to the highest bidder. Traffic from botnets or malicious ad campaigns is routed through the applications, selecting victims with specific configurations such as outdated browsers with known vulnerabilities to a landing page with the relevant exploit embedded within it. This then executes and installs the operator’s choice of malware on the victim’s machine.
Although Internet Explorer’s market share is dropping rapidly (now around 4.9 percent of the market), the browser is still under active attack, with new EK’s being developed, according to data from Malwarebytes.
"Even though the weaponised vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. This is an interesting trend that makes sample sharing more difficult and possibly increases infection rates by evading some security products", said Jérôme Segura, Malwarebytes malware analyst in a blogpost.
The exploit kits relying on this fileless include Magnitude, Underminer, and Purple Fox. Key vulnerabilities for the EK’s include Internet Explorer’s CVE-2018-8174 and Flash Player’s CVE-2018-15982, while the older CVE-2018-4878 (Flash) is also used by some EK’s according to the researchers. Adobe has stated that it plans to stop supporting the perennially-attacked Adobe Flash Media Player by the end of 2020.
One theory behind the continued activity in a declining market (IE browser share) is that many installs of IE are within tightly-controlled enterprise environments rather than among home users free to choose their favourite browser, making an IE compromise a potentially higher-value target. Whatever the explanation, the threat of EK’s remains significant and an ongoing trend.
"In the past quarter, we’ve observed sustained malvertising activity and a diversity of malware payloads served. We can probably expect this trend to continue and perhaps even see new frameworks pop up. Even if it remains remote, we can’t discard the possibility of an exploit kit targeting one of the newer browsers", summarised Segura.