An exploit kit or exploit pack is a type of toolkit cybercriminals use to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash®, Java®, Microsoft Silverlight®.
A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.
Stages of an exploit kit infection
Step 1: Contact
The attacker often use spammed email and social engineering lures to make people click the link of an exploit kit server. In another form, a user clicks on a malicious advertisement (malvertisement) found in a legitimate website.
Step 2: Redirect
The exploit kit generator screens for its target and then filters out victims who don’t meet certain requirements. For example, an exploit kit operator can target a specific country by filtering client IP address by geolocation.
Step 3: Exploit
The victims are then directed into the exploit kit’s landing page. The landing page determines which vulnerabilities should be used in the ensuing attack.
Step 4: Infect
After successfully exploiting a vulnerability, the attacker can now download and execute malware in the victim’s environment.
Recent attacks related to exploit kits
Delivered threats to visitors of “The Independent” after it was hacked.
Delivered Adobe Flash exploits through a compromised ad network in the US
Delivered Locky ransomware
Hid traffic by using the Diffie-Hellman key exchange protocol
Delivered CryptoWall, TeslaCrypt ransomware
Delivered DRIDEX malware
Spotted in malvertising campaign in Japan
Used Hacking team leak 0-day flaw
Delivered Ransom_GOOPIC ransomware
Delivered card-scraping Kasidet worm
Employs use-after-free vulnerabilities in Adobe Flash Player
Delivered CryptoShocker ransomware
Included in a malicious YouTube ad campaign
Vulnerabilities mostly exploited by exploit kits
Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched. We tallied all the vulnerabilities that were commonly exploited from 2010 to the first half of 2016 and found that cybercriminals often exploit the following :
Affected software: Adobe Flash Player before 220.127.116.111 and 14.x through 17.x before 18.104.22.168 on Windows and OS X and before 22.214.171.1247 on Linux
Description: This is an Adobe Flash Player memory corruption vulnerability that allows an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x through 13.0.x before 126.96.36.199 on Windows and OS X, and before 188.8.131.526 on Linux
Description: This is an Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object. It allows attackers to run some processes and run an arbitrary shellcode.