The exploit kit scene these days strongly resembles a sinking ship—with very few survivors, struggling to keep themselves afloat. The shutdown of high-profile players such as Angler and Nuclear, as well as other popular kits like Magnitude opting for a private distribution model where only select clients are allowed access, has meant that the exploit kit landscape’s struggle for a fresh lease of life and variety continues.
Even as exploit kits continue with their struggle for resurgence, one aspect that has remained constant throughout has been the use of popular and effective redirection mechanisms to redirect unsuspecting users to exploit kit servers, with two of the most popular being the pseudo-Darkleech and EITest campaigns. But how have these campaigns fared with the recent changes in the exploit kit landscape?
The name pseudo-Darkleech comes from the Apache Darkleech module, which is available on the dark web. The pseudo-Darkleech redirection methodology is simple: compromise websites by exploiting content management system vulnerabilities and insert a conditional redirection script on the site’s pages. The conditional redirection depends on a host of factors, including the geolocation of the victim. The redirection script varies from a simple iFrame injection to a highly obfuscated script that ultimately does just one thing: redirect website visitors to an exploit kit.
The first instance of the pseudo-Darkleech campaign came to the fore around 2012 when the pseudo-Darkleech script started redirecting users to the Angler exploit kit. After the demise of Angler, and several other threat groups, in the second half of 2016, the pseudo-Darkleech campaign started redirecting victims to the newly crowned top kit, Neutrino. After Neutrino began using a private distribution model, the campaign shifted to the RIG exploit kit. So even as exploit kits disappeared or became more selective with their customers, the redirection campaigns continued unabated…until now.
Figure 1. The pseudo-Darkleech script redirecting to the RIG exploit kit
From roughly May 9 onwards, we have observed a significant drop-off in pseudo-Darkleech redirections to exploit kits.
Figure 2. A significant drop-off in pseudo-Darkleech redirections to exploit kits
Whether this means the end of the road for this long-running campaign or that the actors behind it are just trying out new features and will return with a more advanced version, only time will tell.
Along with pseudo-Darkleech, the EITest campaign has been a primary source of exploit kit redirections. Like pseudo-Darkleech, the EITest story started with Angler and progressed to RIG. Whether using a Flash file to fingerprint its victims, or just injecting an iFrame into a compromised website, the campaign continued to redirect visitors to exploit kit servers.
Figure 3. EITest using a Flash file to redirect to the Neutrino exploit kit
Figure 4. EITest redirecting to the RIG exploit kit
In the first half of 2017, the actors behind the EITest campaign began employing social engineering to target mainly Google Chrome users. EITest makes a compromised web page unreadable and then presents the visitor with a pop-up dialogue requesting them to download a font file to be able to view the page, however the file is actually malware.
Figure 5. EITest uses social engineering to trick users into downloading malware
The interesting aspect of this story is, while the instances of these EITest social engineering attacks have been on the rise, the redirections to exploit kits have been steadily declining.
Figure 6. EITest social engineering attacks are on the rise while redirections to exploit kits are declining
Does this indicate a permanent shift from exploit kits to social engineering for this campaign? In the face of low infection rates from exploit kits and the lack of new browser or browser plugin exploits, this seems to be the most plausible explanation.
However, does the decline in these redirection campaigns mean that exploit kit activity is also declining? Unfortunately not. Our telemetry suggests an increasing trend in malvertisement redirections to various exploit kits such as RIG, with a decline in older campaigns such as pseudo-Darkleech and EITest.
Figure 7. Redirections to RIG show malvertisement is the preferred choice over pseudo-Darkleech and EITest
Although redirection from campaigns such as pseudo-Darkleech and EITest have declined, exploit kits continued to stay afloat using another effective redirection method, malicious advertisements. Though the successful infection rate with exploit kits is low these days as attackers continue to move to email as an infection vector, even one successful infection with a threat such as WannaCry (Ransom.Wannacry) could wreak havoc due to the malware’s ability to spread rapidly. Exploit kits, for the time being at least, remain a force to be reckoned with in the security threat landscape.
Symantec customers are proactively protected against these campaigns through the following Intrusion Prevention System (IPS) definitions: