Exploit kits like RIG and Fallout made news headlines for being associated with the distribution of Sodinokibi and GandCrab respectively. By been used to distribute some of ransomware's biggest players researchers have noted a rise in popularity of other hackers and malware authors using exploit kits to drop other forms of malware onto unsuspecting victims. This popularity seems to have driven another evolution in the history of exploit kits in that three out of nine exploit kits analyzed by researchers have migrated to being fileless.
Exploit kits, often simply referred to as EKs, are web-based applications hosted by hackers who then pay malvertisers to redirect traffic their way. Redirected traffic is then put through a system check to make sure the visitor’s machine is vulnerable to several exploits. If the machine is vulnerable then an exploit is run and access to the machine is granted. From there the hacker can drop malware of their choosing. Exploit Kits were incredibly popular at the height of Internet Explorer’s popularity which heavily relied on Flash. Both the browser and Flash were proven to have several vulnerabilities that if not patched could be exploited.
Move to the present where another browser, like Chrome, have a greater market share and conventional logic would say that exploit kits would cease to a problem once Internet Explorer and Flash stopped dominating the market. However, a rise in their use has been seen, it is believed that the rise id due to cybercriminals thinking that systems still running Internet Explorer are predominantly connected to an enterprise network. This thought process allows for targeting enterprises directly.
Research conducted by Malwarebytes reveals that operators of a number of exploit kits are moving to adopt fileless attack vectors. Three of the nine exploit kits analyzed by the security firm displayed this ability. Fileless attacks do not store files on the hard drive. It is these executable files that allow for antivirus programs to scan and detect that malware is on the machine. Rather fileless attacks load malicious code on the computers RAM rather than the hard disk. This is the first time exploit kits have been seen employing fileless attack methods. Jérôme Segura, a Malwarebytes malware analyst, noted,
“This is an interesting trend that makes sample sharing more difficult and possibly increases infection rates by evading some security products,”
Further, it was concluded that,
“It’s interesting to see exploit kits alive and kicking, despite relying on aging vulnerabilities and a decrease in the user base of both Internet Explorer and the Flash Player. In the past quarter, we’ve observed sustained malvertising activity and diversity of malware payloads served. We can probably expect this trend to continue and perhaps even see new frameworks pop up. Even if it remains remote, we can’t discard the possibility of an exploit kit targeting one of the newer browsers.”
The Three in Question
The three exploit kits discovered to employ fileless attacks are PurpleFox, Magnitude, and Underminer. These are relatively small operations when compared to RIG and Fallout, however, they may inspire other larger operations to explore the fileless route to increase infections and decrease the likelihood of discovery. PurpleFox was seen been used as a vehicle to distribute cryptominers in September 2019. The previous year the exploit kit infected some 30,000 users and was also seen been distributed by RIG as well in that year. It was the latest campaign PurpleFox changed tactics from abusing PowerShell as it had done in the past to go fileless.
The Magnitude exploit kit has been seen actively targeting those residing in South Korea and researchers detected sample that was using a specific technique with VBScript to load the .NET assembly from memory. It was argued by researchers that this lesser-known .NET assembly technique is far stealthier than abusing PowerShell. The last exploit kit discovered to employ a fileless attack method is Underminer, which has been actively seen distributing the coin miner “Hidden Bee”. In this instance the campaign initially leverages malvertising via adult websites to redirect users to the exploit kits landing page.
This campaign has been seen to primarily target Asian countries based on the ads used. Further, a server pretending to be an online dating service contains a malicious iframe responsible for the exploitation and infection process. Attacks like this are rare as they are fairly sophisticated given that the miner is widely regarded as unsophisticated. For most looking to deploy coin miners going through the trouble of implementing a fileless attack to gain access is not worth it. The miner does display one interesting feature in that it attempts to remain persistent on the system through the use of a bootkit which alters the Master Boot Record to run the miner every time the operating system reboots.
It is clear that malware authors have not entirely given up on exploit kits despite the ever-decreasing pool of available victims as more and more users are used to use other browsers. That researchers are seeing a clear evolutionary trend in the development of fileless attack methods is a testament to this. Given that it is believed exploit kits are still viable because they better target enterprises it is advised that companies move away from legacy software or in the very least ensure that they are patched. It is further advised that companies invest in an anti-virus suite that can defend against fileless attacks.