In February, we released our SonicWall Security 2016 Threat Report, and one of its highlights was a discussion on latest techniques and trends in exploit kits (EKs).
EKs have become a key tool for cybercriminals to take over the target machines (via an exploit) and subsequently install a malware of their choice.
For those who have some background in researching EKs, their stages would seem familiar. First, there is a redirection stage. This leads the user to the landing page of the EK (either directly or via infected website). This redirection stage can occur as a result of a URL link in the spam email or Twitter/Facebook feed, advertising banner redirection (malvertising) or simply an IFRAME redirection from an infected website.
Next is the landing stage. Here, the target visits the actual web server where the EK software resides (i.e., the landing page) and the exploit is delivered.
During exploitation, carefully crafted scripts determine the software components installed on victims machines (in order to select an appropriate exploit first). Then the successful targeted exploit is delivered and malware is subsequently installed on target machines.
Some of the stages described above can be shown using Spartan EK discovered by the SonicWall Threat Research team last year.
As you may note in Spartan’s exploit kit delivery technique, the initial Flash file was encrypted, and the actual exploit code resided only in memory and was never written to disk (thus avoiding potential detection by AV software).
EK delivery mechanisms are evolving, and require security vendors to use the latest up-to-date evasion techniques in order to successfully detect and/or prevent the attacks. It is not uncommon for EKs to check for presence of certain AV software or virtualized environment during exploit stage, and thus abort its execution to prevent exposing itself to security professionals (see example code below).
For example, last year, we observed the Magnitude EK using steganography techniques during the redirection stage to dynamically generate an IFRAME from an encrypted/encoded image file. Such techniques make it more difficult for affected website owner to identify a potential website infection.
What are some important conclusions security product designers can draw from the latest trends in EKs? For one, due to all the exploit and malware payload obfuscation trends in the latest exploit delivery techniques of exploit kits, it is now more important to quickly and correctly identify EK landing page access, and stop the exploit delivery immediately at the point of landing page access by the user. Thus, tracking EKs and their latest attack techniques is an important part of any threat research team’s activity.
Download the SonicWall Security Annual Threat Report today.