Exploit kit activity may not be at the level seen in 2016, but the malicious website toolkits are enjoying something of a resurgence. New exploit kits such as Lord have recently been discovered and the activity of more established kits such as Rig and GrandSoft has increased significantly in recent months. Exploit kit activity is now at three times the level of this time last year.
Exploit kits are toolkits that are loaded onto websites which probe visitors’ devices for exploitable vulnerabilities. Several exploits may be included in each exploit kit which will kick into action if a flaw is detected on the visitor’s device. Should that happen, a malicious payload will be silently downloaded and executed. The user will most likely be unaware that anything untoward has happened.
Security researcher nao_sec has identified four separate campaigns that are currently directing unsuspecting users to sites hosting these exploit kits via malicious adverts (malvertising) on high traffic websites.
One malvertising campaign is driving traffic to the GrandSoft exploit kit, which delivers the Ramnit banking Trojan. The Rig exploit kit is being used to deliver a clipboard hijacker called Amadey via a malvertising campaign on the PopCash ad network. Rig is loaded with exploits for Flash Player and Internet Explorer (CVE-2018-15982 and CVE-2018-8174). The Fallout exploit kit is also being used to deliver a clipboard hijacker via the same vulnerabilities being exploited via the Rig EK, and the Radio exploit is being used to deliver Nemty ransomware via the CVE-2016-0189 vulnerability.
Fortunately, protecting against exploit kit activity is straightforward. Exploit kits can only exploit vulnerabilities that have not been patched and most EKs only host exploits for a very limited number of vulnerabilities. To prevent an attack, users should ensure that their devices are 100% up to date, especially their browser, plugins, PDF reader, and Flash Player. Users that have not yet upgraded their operating system to a supported version are also at risk.
Other solutions such as web filters can also be implemented to reduce the potential for users to arrive on a compromised website. Many can also be configured to block adverts, thus preventing malvertising redirects.