Exploit kits are on the way out, at least that's the message in a recent blog form Digital Shadows which reports that at least four major players in the market have ceased operation since June 2016.
The kits use compromised websites, malicious adverts and social engineering to drive traffic to their landing pages where they seek to exploit vulnerable software.
The blog records those kits that have disappeared, and also explores what it describes as plausible scenarios for exploit kits.
Among those no longer around are:
"The Angler exploit kit which disappeared in June of 2016, believed due to the arrest of the Lurk group in Russia.
In the same month, the Nuclear exploit kit disappeared; the reasons for this were unconfirmed.
The Sundown exploit kit disappeared in April of 2017, following the leak of its source code online.
One method of assessing exploit kit activity is researcher mentions of exploit kit detections on social media and blog sites. Among those kits mentioned and thus that survive, the RIG exploit kit was mentioned most frequently from June suggesting it is the most prominent. Blaze, Magnitude, Rig, Sundown and Terror were also still being deployed in the wild but less prevalent.
The reduced reporting leads Digital Shadows to assess that the threat posed by exploit kits is less overall to what it was in June of 2016, and even the start of 2017,but the threat still remains. “Exploit kits typically rely on out-of-date browsers, or browser plugins, therefore the primary mitigation for this threat is to ensure patches are implemented as soon as possible. In particular, exploit kit authors favour remote code execution exploits,” explains the blog.
The reasons for these disappearances were unconfirmed in most cases, but at least one EK developer was reported to have claimed it was no longer profitable according to the blog. Other reasons cited include law enforcement action or the relatively resource intensive nature of exploit kit operations. The blog notes that running these operations can be laborious, requiring software development of the exploit kit; acquisition of remote code execution exploits for browser-related software; registration of large numbers of domains to host the exploit kits; generation of traffic to the exploit kit landing pages for exploitation. Generating this traffic requires the compromise of websites, use of malicious advertising or use of spam emails.”
In addition, exploit kit operators have had to contend with advert blockers, software updates and blacklists which all degrade the rates of successful exploitation, strengthening the view that exploit kit developers or operators no longer consider them to be profitable – certainly in comparison with the easier phishing or ransomware scams.
Recently developments include seeing actors experimenting with malware propagation within internal networks, shown by the TrickBot and Emotet banking trojans, which represents another method of spreading malware to multiple devices.
While the trend is for decline in exploit kits, the blog considers other scenarios:
“Given a lack of competition one exploit kit might become the most dominant. Large amounts of business going to one kit could allow it to be developed more frequently and for its developers to acquire new exploits.
“Following the disappearance of large exploit kits, new kits could emerge that attempt to fill the market gap.
“Exploit kits could decline overall but still be used in more targeted attacks. The compromise of the Polish Financial Supervision Authority website in February of 2017 involved the use of similar tactics, techniques and procedures to exploit kits.
“Technology to detect and block malicious emails could improve to the point that this distribution method becomes less viable, resulting in a return to exploit kit activity which depends on end point management of software updates or other patch management solutions.”
Consequently, Digital Shadows' blog concludes that exploit kits will almost certainly continue to remain a threat in the immediate future.