The use and popularity of hackers using exploit kits seems to be waning. This decline in use has been attributed to arrests, prison sentences, and service disruptions caused by law enforcement in partnership with security firms. This is most certainly good news but does not mean their use is completely extinct. Security researchers at FireEye have discovered a new exploit kit been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
An exploit kit is essentially a type of “toolkit” used by hackers to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Often exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash, Java, and many others. A typical exploit kit can include a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.
Dubbed Fallout by researchers, the new exploit kit has been targeting users in Japan with the SmokeLoader trojan. It has also been observed delivering the GandCrab ransomware in the Middle East. Before dropping the payload, however, the exploit kit fingerprints the browser profile to identify targets of interest. As with many trojans SmokeLoader is primarily used as a downloader to drop and execute additional malware like ransomware or cryptocurrency miners. GandCrab operated likes most other ransomware variants by encrypting user files then demanding a ransom for the decrypting of those files. GandCrab does have an interesting feature that sets it apart from many other ransomware variants, it is able to encrypt users that are not connected to the Internet. This is done by not needing to connect to a server before encryption.
Fallout’s basic operation causes targeted users to be redirected from a legitimate advertiser page to the exploit kit landing page URL via multiple 302 redirects, according to the article published by FireEye. The exploit kit will then detect the targets browser and operating system in order to determine the next course of action. Depending on those variables the attack either delivers the exploit kit directly or attempts to reroute the victim to other social engineering campaigns. macOS users in the United States, for example, are redirected to social engineering attempts posing as either an anti-virus software or Flash updates.
The security firm noted that,
“The strategy is consistent with the rise of social engineering attempts FireEye has been observing for some time, where bad actors use them to target users that are on fully patched systems or any OS/software profile that is not ideal for any exploit attempts due to software vulnerability,”
The campaign, FireEye says, has been targeting entities in the government, telecom and healthcare sectors.
Initially, Fallout’s landing page only contained code for a VBScript vulnerability at first. This was then expanded to include embedded Flash code. The VBScript loads a JScript function that decodes malicious next stage VBScript to exploit CVE-2018-8174 and executes shellcode that downloads, decrypts, and executes the desired payload. Depending on the Windows version and architecture, the malware attempts to take ownership of ctfmon.exe or rundll32.exe, or replace them with a copy of itself. It also adds itself to startup and reboots the system. If it fails to replace the targeted system files successfully, the malware then copies itself at a different location and then executes. The final payload in this attack is the GandCrab ransomware, which is being fetched and manually loaded into memory by the malware.
Based on their analysis the researchers concluded,
“In recent years, arrests and disruptions of underground operations have led to exploit kit activity declining heavily. Still, exploit kits pose a significant threat to users who are not running fully patched systems. Nowadays we see more exploit kit activity in the Asia Pacific region, where users tend to have the more vulnerable software. Meanwhile, in North America, the focus tends to be on more straightforward social engineering campaigns,”
Exploit Kits down but not out
While the instances of exploit kits have seen a sharp decline they still pose great risks to users. In July 2018, TrendMicro published an article detailing a change in tactics and approach by hackers using such kits. With many kits expanding to include the ability to install cryptocurrency miners with other types of malware. Thus despite the arrests of certain exploit kit vendors they still are a threat, although an opportunistic one. Often these kits are reliant on exploiting old vulnerabilities. This does not mean they are solely reliant on old vulnerabilities as malware authors can easily integrate new vulnerabilities or rehash proof of concept code as soon as they become available.
That been said, three years ago there was a drastic increase in the use of such kits. The arrests and disruption of service caused by sting operations certainly made their impact. Another factor not often considered is the role software companies have made in better securing their products. This has often come with the abandonment of legacy software such as Internet Explorer which leaves fewer vulnerabilities to exploit. With the above factors considered it would mean that the costs associated with maintaining such kits will inevitably rise. Hackers are often a profit-driven bunch and that profit must be achieved for the least possible effort. With that in mind, the rise of cryptocurrency miners has presented hackers with a far easier way to turn a profit.