Cybercriminals using the Terror exploit kit have recently starting using SSL certificates to help sneak the EK and its malware passed cybersecurity staffers.
Malwarebytes Lead Malware Intelligence Analyst Jerome Segura said in a blog that the switch to using SSL is part of the Terror EK's constantly changing profile as it attempts to evade detection, however, he noted that Smoke Loader is still the dropper being used.
“Despite no significant advancement with more powerful vulnerabilities being integrated, exploit kit authors are nonetheless still leveraging malvertising as their primary distribution method and attempting to evade detection from the security community, which they monitor closely,” he said.
The switch over to using SSL started in late August when the Terror EK users made an attempt at using HTTPS by using free SSL certificates, although this could have been a test of some type as they sometimes did still use HTTP. Segura also pointed at there were some problems with the validity of these certificates.
Terror is a rare case of an EK using SSL encryption this year with Astrum EK being the only other case spotted. Another tweak implemented recently with Terror is its use of new and or abused top line domains, which differs from the popular RIG EK which appears to have permanently switched to IP literal URIs, Segura said.