A new exploit kit is evolving at pace, adding more exploits, and becoming more discerning, according to security researchers.
According to a blog post, researchers at Talos recently identified a new exploit kit they named Terror. The malware has come to the fore just as other kits, such as Angler, have largely disappeared.
Researchers Holger Unterbrink and Emmanuel Tacheau said that the malware appeared last year carpet-bombing the victims with many exploits at the same time, no matter if the exploit matched the victim's browser environment or not. They added that in the meantime, the malware has greatly improved since then.
The researchers found a potentially compromised legitimate web site acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later.
“This may indicate how these campaigns collaborate and share resources, or possibly one campaign pirating another. Terror seems to constantly [be] evolving,” said the researchers.
They added that during the present campaign, further exploits have been added and the malware no longer carpet-bombs victims. Instead it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version and installed plugins. “This makes it harder for an investigator to fully uncover which exploits they have,” they said.
The researchers noted that hackers are using an URL parameter in clear text for the vulnerability they are going to exploit, eg cve2013-2551 = cve20132551 in the URL.
The malware also uses cookie-based authentication in its attack chain. “This prevents anyone from downloading the exploits directly. Someone who did not follow the full attack chain may be a competitive cyber-criminal who is trying to steal the exploits or a forensic investigator who is trying to see from where and how the victim was infected,” researchers said.
Andy Norton, risk officer EMEA at SentinelOne, told SC Media UK that when endpoint targeting is a function of the exploit kit, beyond patching, “the only real protection is exploit mitigation features that are deployed directly on the endpoint; sandboxes used to be a valid method, but now, they are often dissimilar from the real endpoint environment and therefore create lots of false alarms or miss detection completely.”
“With advanced exploit kits, it is important to move more defences to the actual endpoint, which is the focus of the attack. New levels in attack sophistication require new levels of protection. Victim profiling combined with file-less payloads, necessitates a whole new thinking process about what is required to protect the endpoint,” he said.
Liviu Arsene's, senior E-Threat analyst at Bitdefender, told SC Media UK, that organisations can start by deploying sandboxes at the mail server level to mitigate any potential fallout from malicious attachments.
“Performing constant security updates and installing patches for both operating systems and running applications is vital, as it prevents attackers from exploiting known vulnerabilities. It's also recommended that organisations deploy a security solution that has the ability to scan URLs so that users don't accidentally land on malicious websites serving exploit kits,” he said.