Leveraged by manipulating zero-day vulnerabilities in software such as Web-browsers, Flash, and Adobe, an exploit kit is a pre-configured toolkit used by attackers to assist in exploiting and maintaining persistence on a user’s machine. These kits are developed by cyber-criminals, sold and/or rented in underground communities; consist of a management platform, CVE list with additional add-ons. Like commercial software, exploit kits are updated with new features; however, some are maintained better than others, which is one of the reasons the Angler exploit kit has become widespread. The first traces of exploit kits were detected in 2006 and roughly 70 more have been discovered in the wild by security researchers.
Users come into contact with exploit kits in several ways. One way this occurs is when a user is misled into clicking a malicious link, which is usually received by spammed emails sent from attackers. Users also become victims by visiting compromised websites where attackers have injected malicious code, redirecting them to the exploit kit server. Another common attack vector involves the use of advertisements. When web sites use ads on their web pages, poor designs allow attackers to compromise them for illicit purposes. Compromised ads that redirect visitors to malicious servers are known as malvertisement.
When visitors become bait to an exploit kit attack, they are forwarded to the exploit kit landing page. These sophisticated exploit kits are good at evading detection, so users usually don’t recognize their machine is being analyzed for vulnerabilities. Exploit kit servers scan a victim’s software against its list of vulnerabilities before dropping the payload on the machine. If the machine is not vulnerable to any exploits, the system will usually be left unharmed. This method aids in anti-virus evasion.
Not all vulnerable machines are infected in the same way. An attacker who purchases an exploit kit can use it for whatever suits his or her needs. Examples of common occurrences include the use of a botnet to carry on further attacks, dropping malware such as ransomware to demand compensation, or accumulating sensitive information about a victim (i.e. credit card information, usernames, passwords, etc.). Exploit kits are feature rich and have been proven effective without requiring user interaction for exploitation, making them particularly attractive to cyber-criminals.
A few of the popular exploit kits seen in the wild include RIG, Nuclear, Neutrino, and Angler. RIG has been active since 2013 and is widespread because of its ability to install spam botnets. The Neutrino exploit kit has been associated with many Java exploits, sophisticated malware, and is prevalent for its capability to disable vital features, such as Safe mode and System Restore, on victim’s machines. This exploit kit is also affordable for cyber-criminals due to its monthly or daily renting options. The Angler exploit kit is the most noteworthy and commonly used exploit kit by cyber-criminals because of its sophistication, maintenance schedule, and success rate. Nuclear, which has been present since 2009, is not as sophisticated as Angler but is recognized for its AskMen.com attack campaign.
Exploit kits are provided as a service where cyber criminals are able to choose kits based on characteristics such as prices, efficiency, features, vulnerability list, and accessibility. Although these malicious toolkits are provided on underground web forums, cyber-criminals must trust buyers before products are delivered since it is a high risk product. Kits can be purchased like licensed software or rented for a specified time frame.
Angler is by far the most notorious exploit kit on the underground market, which is primarily due to its high-profile involvement with ransomware, malvertising, and hacktivism campaigns. According to the 2015 Trustwave Global Security Report, it was the second most used exploit kit in 2014 and recent research shows that Angler currently dominates the market based on cybersecurity observations.
There are many reasons Angler is dominant among other exploit kits; however, it is immensely popular to cyber-criminals for its ease of use. Criminals with minimal knowledge about vulnerability exploitation can carry out massive attacks, making it predominantly attractive for novice attackers. The kit comes with a user friendly interface stocked with features to track malware campaigns and modify settings for effectiveness. It is sold in numerous criminal circles and distributed as a ‘payment structured service.’
Angler offers a wide variety of exploitation techniques such as malware installation, information gathering, and botnet features. The kit’s niche is exploiting vulnerabilities in outdated software. Common infection vectors analyzed in 2015 were the exploitation of longstanding software such as Java, PDF, Silverlight, and Flash.
Angler developers also are known to update exploits for new vulnerabilities fairly rapidly. It is one of the first products to integrate zero day vulnerabilities in its arsenal, notably Flash. Its developers keep Angler’s vulnerability lists updated regularly by removing dated CVE’s. Sophistication and innovation are practices that separate the toolkit from its competitors. It succeeds at evading Anti-virus solutions, infects machines without downloading files on the host (rootkits, memory-resident, and registry), and encrypts data transmission.
To help defend against exploit kit attacks, users are recommended to keep their computers updated regularly. Browser add-ons that block Flash and/or disable scripts are effective, although the browsing experience will be less desirable. Taking a layered approach by using anti-virus solutions and implementing threat-Intel, such as updating security platforms with IOCs (Indicators of Compromise), would be significantly beneficial. Backing up your computer is also a noteworthy defense strategy against the associated Ransomware infections.