Exploit Kit

Exploit kits or exploit packs refer to a type of hacking toolkit that cybercriminals use to take advantage of vulnerabilities in systems/devices so they can distribute malware or do other malicious activities. They normally target popular software such as AdobeFlash ®, Java, Microsoft Silverlight® .

A typical exploit kit usually provides a management console, a bunch of vulnerabilities for different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.


Figure 1: Exploit kit infection chain
  • Step 1: Contact
    A n attacker convinces people to click the link to a site that serves an exploit kit often through spam and effective social engineering lures.
  • Step 2: Redirect
    The exploit kit finds vulnerabilities in software installed on the systems/devices used to access the link.
  • Step 3: Exploit
    An exploit that takes advantage of the vulnerability found is executed on the system/device.
  • Step 4: Infect
    A payload (a piece of malware) is dropped and executed on the system/device.


The Exploit Kit-Ransomware Tandem

Exploit kits have proven efficient means to deliver all sorts of threats to vulnerable systems/devices. In 2015, then most active and popular exploit kit, Angler, started the wave of delivering ransomware to victims’ systems/devices.


Figure 2: Exploits included in specific kits in the first half of 2016




  • Angler Exploit Kit
  • Neutrino Exploit Kit
  • Magnitude Exploit Kit
  • Rig Exploit Kit
  • Nuclear Exploit Kit
  • Sundown Exploit Kit
  • Hunter Exploit Kit
  • Fiesta Exploit Kit

  • CRYPWALL
    2015
    2016
  • CRYPTESLA
    2015
    2016
  • CRILOCK
    2015
    2016
  • CRYPCTB
  • CRYPSHED
  • WALTRIX
    2016
  • Cerber
  • Locky
  • GOOPIC
  • Crypto
    Shocker

Below each ransomware variant are the years they were actively delivered by exploit kits
Figure 3: Ransomware families delivered by exploit kits

Angler: 1H 2016’s Most Notorious Exploit Kit

The Angler Exploit Kit accounted for 60% of the overall activity in 2015. It was used in a massive malvertising campaign that preyed on top-tier news, entertainment, and political commentary sites in March 2016, too.

Angler was constantly updated to include new exploits, including those that were part of the Hacking Team leak and used in Pawn Storm, until the arrest of 50 people accused of using it for malware distribution, allowing them to amass US$25 million.


Figure 4: Number of times exploit-kit-hosting URLs were accessed in the first half of 2016



Vulnerabilities Most Exploited by Exploits Integrated into Kits

Exploit kits typically integrate exploits for vulnerabilities in the most commonly used applications that many users leave unpatched. We identified five of the vulnerabilities most exploited by exploit kits from 2010 to the first half of 2016 below.

  • CVE-2013-2551

    Affected software: Microsoft Internet Explorer® 6–10

    Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a deleted object

    Latest story: Windows 10 Sharpens Browser Security with Microsoft Edge

  • CVE-2015-0311

    Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x–16.0.0.287 on Microsoft Windows® and 11.2.202.438 on Linux

    Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors

    Latest story: Exploit Kits in 2015: Flash Bugs, Compromised Sites, Malvertising Dominate

  • CVE-2015-0359

    Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux

    Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used; failed exploitation attempts likely result in denial of service (DoS)

    Latest story: Exploit Kits in 2015: Flash Bugs, Compromised Sites, Malvertising Dominate

  • CVE-2014-0515

    Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x–13.0.x before 13.0.0.206 on Microsoft Windows and Mac® OS X® and before 11.2.202.356 on Linux

    Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows attackers to run some processes and run arbitrary shellcode

    Latest story: Flash Greets 2015 with New Zero Day

  • CVE-2014-0569

    Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux

    Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors

    Latest story: Latest Microsoft Patch Prevents Browser History Snooping

Adobe Flash remains the most exploited software since 2010. Cybercriminals are clearly aware of the millions of developers that use it to create content for mobile and desktop consumption. Adobe Flash runs on more than 1 billion connected devices/systems to date.

 

Notable exploit-kit-related incidents

 

YEAR INCIDENT
2006 WebAttacker (US$20) and Mpack (US$1,000) were sold in the Russian underground
2007 NeoSploit, Phoenix, Tornado, and Armitage Exploit Kits surfaced
2008 Fiesta, AdPack, and FirePack Exploit Kits surfaced
Mar 2010 Malicious ads lead to the Liberty Exploit Kit
Aug 2010 Original Blackhole Exploit Kit surfaced
Sep 2012 Blackhole Exploit Kit 2.0 was found in the wild
Jan 2013 Cool and Blackhole Exploit Kits distributed REVETON and other ransomware variants
Feb 2013 Whitehole Exploit Kit was sold for US$200–1,800)
Mar 2013 Neutrino Exploit Kit figured in the underground (for rent at US$40/day or US$450/month)
Apr 2013 Blackhole Exploit Kit linked to large-scale brute-forcing attack on WordPress blogs
Oct 2013 Blackhole Exploit Kit creator, Paunch, was arrested in Russia
Oct 2013 Bleeding Life Exploit Kit was used in the Apollo banking Trojan campaign
Jan 2014 Malicious Yahoo! site ads led to Magnitude Exploit Kit
Jun 2014 ZeuS P2P variant, Gameover, led to Blackhole Exploit Kit sites
Jun 2014 Compromised Japanese sites led to Angler Exploit Kit and VAWTRAK
Sep 2014 Nuclear Exploit Kit targeted Microsoft Silverlight
Oct 2014 YouTube ads led to the Sundown Exploit Kit
Apr 2015 Fiesta Exploit Kit spread crypto-ransomware
Jul 2015 Hacking Team Flash zero-day exploits were integrated into the Angler and Nuclear Exploit Kits
Jul 2015 Angler Exploit Kit was used to find and infect PoS systems
Sep 2015 Massive malvertising campaign using Angler Exploit Kit affected 3,000 high-profile Japanese sites
Sep 2015 Angler and Nuclear Exploit Kits abused the Diffie-Hellman key exchange protocol to hide traffic
Mar 2016 Malvertisements led to the Angler Exploit Kit in the US
Apr 2016 Blackhole Exploit Kit creator, Paunch, was sentenced to seven years of imprisonment in Russia
Jun 2016 Angler Exploit Kit ceased operations after a malware-related arrest
Table 1: Notable exploit-kit-related incidents from 2006 to the first half of 2016

Exploit Kits Over Time

Exploit kits, the closest thing to a Swiss Army knife, remain a steadfast threat because of their track record. From fake antivirus to malvertisements and now ransomware, exploit kits have proven effective, enough to be constantly updated for more inventive and malicious uses.


Figure 5: Comparison of active and new exploit kits from 2006 to the first half of 2016


 

Active and new exploit kits

 

YEAR EXISTING NEWLY RELEASED
2006   Mpack
  WebAttacker Kit
2007 MPack Armitage Exploit Pack
  IcePack Exploit Kit
  NeoSploit Exploit Kit 1.0
  Phoenix Exploit Kit
  Tornado Exploit Kit
2008 IcePack Exploit Kit AdPack
NeoSploit Exploit Kit 2.0/3.0 Fiesta Exploit Kit
Phoenix Exploit Kit FirePack Exploit Kit
Tornado Exploit Kit  
2009 Phoenix Exploit Kit 2.0 CrimePack 1.0
Tornado Exploit Kit Eleonore Exploit Kit
  Fragus Exploit Kit
  Just Exploit Kit
  Liberty Exploit Kit
  Lucky Sploit
  MyPoly Sploit
  Neon Exploit System
  Spack
  Siberia Exploit Pack
  Unique Sploits Exploit Pack
  Yes Exploit Kit 1.0/2.0
2010 CrimePack 2.0/3.0 Blackhole Exploit Kit 1.0
Eleonore Exploit Kit Bleeding Life Exploit Kit 1.0/2.0
Phoenix Exploit Kit 2.0 Dragon Pack
Siberia Pack Nuclear Exploit Kit 1.0
Yes Exploit Kit 3.0 Papka Exploit Pack
  SEO Sploit Pack
2011 Blackhole Exploit Kit 1.1/1.2 Best Pack
Bleeding Life Exploit Kit 3.0 G01Pack Exploit Kit
Eleonore Exploit Kit Katrin Exploit Pack
NeoSploit Exploit Kit 4.0 OpenSource Exploit Kit
Nuclear Exploit Kit 1.0 Sava Exploit Kit
Phoenix Exploit Kit 2.0  
SEO Sploit Pack  
Siberia Pack  
2012 Blackhole Exploit Kit 2.0 Alpha Pack
G01Pack Exploit Kit CK Exploit Kit
Hierarachy/Eleonore Exploit Kit Cool Exploit Kit
NeoSploit Exploit Kit 4.0 CrimeBoss Exploit Kit
Nuclear Exploit Kit 2.0 CritXPack
Phoenix Exploit Kit 3.0 GrandSoft Exploit Kit
  Impact Exploit Kit
  KaiXin Exploit Pack
  Kein Exploit Pack
  NucSoft Exploit Pack
  ProPack
  RedKit Exploit Kit
  Sakura Exploit Kit
  Serenity Exploit Pack
  Sibhost/Glazunov Exploit Kit
  Styx Exploit Kit 2.0
  SweetOrange Exploit Kit
  Techno Xpack
  Yang Pack
  ZhiZhu Exploit Kit
2013 Blackhole Exploit Kit 2.0 Angler Exploit Kit
CK Exploit Kit Anonymous Exploit Kit
CrimeBoss Exploit Kit DotkaChef Exploit Kit
Fiesta/NeoSploit Exploit Kit GongDa Exploit Kit
FlackPack Exploit Kit Hello/LightsOut Exploit Kit
G01Pack Exploit Kit HiMan Exploit Kit
GrandSoft Magnitude/PopAds Exploit Kit
Nuclear Exploit Kit 3.0 Neutrino Exploit Kit
Phoenix Exploit Kit 3.0 Private Exploit Pack
RedKit/Goon Exploit Kit Red Dot Exploit Kit
Sakura Exploit Kit Safe Pack
Sibhost/Glazunov Exploit Kit WhiteHole Exploit Kit
Styx Exploit Kit White Lotus Exploit Kit
SweetOrange Exploit Kit Zuponcic Exploit Kit
2014 Angler Exploit Kit CottonCastle/Niteris Exploit Kit
DotkaChef Exploit Kit HanJuan Exploit Kit
Fiesta/NeoSploit Exploit Kit Rig Exploit Kit
FlackPack Exploit Kit  
GongDa Exploit Kit  
Hello/LightsOut Exploit Kit  
RedKit/Infinity Exploit Kit  
Magnitude Exploit Kit  
Neutrino Exploit Kit  
Nuclear Exploit Kit 3.0  
Styx Exploit Kit  
SweetOrange Exploit Kit  
Zuponcic Exploit Kit  
2015 Angler Exploit Kit Hunter Exploit Kit
Fiesta/NeoSploit Exploit Kit Sundown Exploit Kit
HanJuan Exploit Kit  
Magnitude Exploit Kit  
Neutrino Exploit Kit  
Nuclear Exploit Kit 3.0  
Rig Exploit Kit  
SweetOrange Exploit Kit  
2016 Angler Exploit Kit  
Rig Exploit Kit  
Magnitude Exploit Kit  
Nuclear Exploit Kit  
Neutrino Exploit Kit  
Sundown Exploit Kit  
Hunter Exploit Kit  

Table 2: Detailed list of active and new exploit kits from 2006 to the first half of 2016

Protect Your Organization from Exploit Kits

Shield your endpoints temporarily, until you can deploy patches, or indefinitely for out-of-support or unpatchable systems. We’ll help you prevent vulnerability exploitation (e.g., ransomware exploiting vulnerabilities) with easy- and fast-to-deploy intrusion prevention system (IPS) filters. So you get full protection until you can deploy vendor patches when it makes the most sense for your business. Vulnerability protection is part of the Trend Micro Smart Protection Suites.

Trend Micro™ Deep Security™, meanwhile, powers Trend Micro’s Hybrid Cloud Security solution, providing market-leading security capabilities for physical, virtual, and cloud servers from a single integrated platform.

Add to those TippingPoint Network Security Solutions that provide real-time network protection, visibility, and centralized management and analytics that are easy to use, configure, and install.

All of these solutions contribute to the interconnected, multilayered security defense strategy that Trend Micro provides to protect your users and their data from vulnerability exploitation, regardless of device or location.

To mitigate vulnerability exploitation, follow these best practices:

  • Promptly patch all endpoints to block known exploits.
  • Deploy a vulnerability shielding solution that proactively shields systems/devices from even unknown vulnerabilities via behavior monitoring.
  • Update browsers and plug-ins to the latest versions and use a browser exploit prevention solution that secures against zero-day browser exploits.



Related papers

Related Infographics