There was a time when exploit kits were the coolest kids in school, getting all the headlines and making all the money for cybercrime groups. But time and tide wait for no man, and attackers soon moved on to other tactics. But recent developments have revealed that while exploit kit activity has dropped off considerably in the last couple of years, it is by no means gone.
Exploit kits are devilishly clever creations and are essentially the utility infielders of crimeware. They typically combine exploits for a number of different vulnerabilities in several separate applications, often browsers or their components. There are dozens of different exploit kits but most of them focus on apps such as Adobe Flash or other widely installed software with a steady supply of known vulnerabilities. Attackers typically target a given website or set of sites, use a server-side vulnerability to install the kit on the site’s web server and then wait for visitors to hit the site. When they do, the exploit kit will launch various exploits against known vulnerabilities in whatever browser the victim is using.
Cybercrime groups have used these kits for lots of different operations over the years, often to install a piece of malware on the victim’s machine, such as a keylogger or even ransomware. Recently, researchers at Malwarebytes discovered an operation in which attackers were able to compromise an ad server used in online ad campaigns and infect the ads that victims see. The campaign is using the GreenFlash Sundown exploit kit, which is not one of the more well-known kits, but is dangerous nonetheless. In the campaign Malwarebytes analyzed, the kit is installing the Seon ransomware on victims’ machines but it also has the capability to deliver other malware and cryptominers. The kit uses a number of redirections and code obfuscation to hide its intent and origins.
“The redirection mechanism is cleverly hidden within a fake GIF image that actually contains a well obfuscated piece of JavaScript. The next few sessions contain more interesting code including a file loaded from fastimage[.]site/uptime.js which is actually a Flash object. This performs the redirection to adsfast[.]site which we recognize as being part of the GreenFlash Sundown exploit kit. It uses a Flash Exploit to deliver its encoded payload via PowerShell,” Jerome Segura, a researcher at Malwarebytes, wrote in an analysis of the campaign.
“Leveraging PowerShell is interesting because it allows to do some pre-checks before deciding to drop the payload or not. For example, in this case it will check that the environment is not a Virtual Machine. If the environment is acceptable, it will deliver a very visible payload in SEON ransomware.”
Another interesting aspect of this specific campaign using GreenFlash Sundown is that the actors who use the kit typically only target victims in South Korea. That was not the case here, as the campaign targeted people in Europe and North America.
At the same time that GreenFlash was reappearing, a new exploit kit called Spelevo was emerging in campaigns that compromised websites and served Flash exploits, among others, to visitors. Spelevo isn’t particularly innovative or unique, but it has the capability of exploiting vulnerabilities in multiple apps and researchers say that it has been used recently to deliver banking trojans, including the nasty Dridex malware. One campaign analyzed by researchers with Cisco’s Talos Intelligence Group targeted the web server of a B2B site and was serving several separate exploits to visitors.
“Spelevo is a relatively new exploit kit that was first seen a couple of months ago. Since its discovery, it has gone through some minor changes, including modification of URL structure and some obfuscation changes in the landing and exploit pages themselves. It makes use of a lot of common techniques for exploit kits that we've seen over the years,” said Nick Biasini of Talos.
“Unlike the Rig exploit kit, Spelevo is being hosted using domains instead of hard coded IP addresses. Additionally, they appear to be leveraging domain shadowing, a technique Talos discovered several years ago, leveraging compromised registrant accounts to host malicious activity using subdomains. Talos also found several instances of 302 cushioning where the gates and exploit kits will leverage a series of HTTP 302 redirects to eventually point to the landing page. The core functionality remains the same: Compromise anyone who interacts with it.”
Although exploit kits may no longer be the go-to move for cybercrime groups, they still have a notable presence on the threat landscape and likely will for some time to come.
CC By 2.0 license photo from James Case.