Endpoint Protection

Criminals increasingly using malvertising to direct victims to exploit kits 

06-06-2017 08:56 AM

The exploit kit scene these days strongly resembles a sinking ship—with very few survivors, struggling to keep themselves afloat. The shutdown of high-profile players such as Angler and Nuclear, as well as other popular kits like Magnitude opting for a private distribution model where only select clients are allowed access, has meant that the exploit kit landscape’s struggle for a fresh lease of life and variety continues.

Even as exploit kits continue with their struggle for resurgence, one aspect that has remained constant throughout has been the use of popular and effective redirection mechanisms to redirect unsuspecting users to exploit kit servers, with two of the most popular being the pseudo-Darkleech and EITest campaigns. But how have these campaigns fared with the recent changes in the exploit kit landscape?

Pseudo-Darkleech

The name pseudo-Darkleech comes from the Apache Darkleech module, which is available on the dark web. The pseudo-Darkleech redirection methodology is simple: compromise websites by exploiting content management system vulnerabilities and insert a conditional redirection script on the site’s pages. The conditional redirection depends on a host of factors, including the geolocation of the victim. The redirection script varies from a simple iFrame injection to a highly obfuscated script that ultimately does just one thing: redirect website visitors to an exploit kit.

The first instance of the pseudo-Darkleech campaign came to the fore around 2012 when the pseudo-Darkleech script started redirecting users to the Angler exploit kit. After the demise of Angler, and several other threat groups, in the second half of 2016, the pseudo-Darkleech campaign started redirecting victims to the newly crowned top kit, Neutrino. After Neutrino began using a private distribution model, the campaign shifted to the RIG exploit kit. So even as exploit kits disappeared or became more selective with their customers, the redirection campaigns continued unabated…until now.

Figure 1. The pseudo-Darkleech script redirecting to the RIG exploit kit.jpg
Figure 1. The pseudo-Darkleech script redirecting to the RIG exploit kit

From roughly May 9 onwards, we have observed a significant drop-off in pseudo-Darkleech redirections to exploit kits.

Figure 2. A significant drop-off in pseudo-Darkleech redirections to exploit kits.png
Figure 2. A significant drop-off in pseudo-Darkleech redirections to exploit kits

Whether this means the end of the road for this long-running campaign or that the actors behind it are just trying out new features and will return with a more advanced version, only time will tell.

EITest

Along with pseudo-Darkleech, the EITest campaign has been a primary source of exploit kit redirections. Like pseudo-Darkleech, the EITest story started with Angler and progressed to RIG. Whether using a Flash file to fingerprint its victims, or just injecting an iFrame into a compromised website, the campaign continued to redirect visitors to exploit kit servers.

Figure 3. EITest using a Flash file to redirect to the Neutrino exploit kit.jpg
Figure 3. EITest using a Flash file to redirect to the Neutrino exploit kit

Figure 4. EITest redirecting to the RIG exploit kit.jpg
Figure 4. EITest redirecting to the RIG exploit kit

In the first half of 2017, the actors behind the EITest campaign began employing social engineering to target mainly Google Chrome users. EITest makes a compromised web page unreadable and then presents the visitor with a pop-up dialogue requesting them to download a font file to be able to view the page, however the file is actually malware.

Figure 5. EITest uses social engineering to trick users into downloading malware.jpg
Figure 5. EITest uses social engineering to trick users into downloading malware

The interesting aspect of this story is, while the instances of these EITest social engineering attacks have been on the rise, the redirections to exploit kits have been steadily declining.

Figure 6. EITest social engineering attacks are on the rise while redirections to exploit kits are declining.png
Figure 6. EITest social engineering attacks are on the rise while redirections to exploit kits are declining

Does this indicate a permanent shift from exploit kits to social engineering for this campaign? In the face of low infection rates from exploit kits and the lack of new browser or browser plugin exploits, this seems to be the most plausible explanation.

However, does the decline in these redirection campaigns mean that exploit kit activity is also declining? Unfortunately not. Our telemetry suggests an increasing trend in malvertisement redirections to various exploit kits such as RIG, with a decline in older campaigns such as pseudo-Darkleech and EITest.

Figure 7. Redirections to RIG show malvertisement is the preferred choice over pseudo-Darkleech and EITest.png
Figure 7. Redirections to RIG show malvertisement is the preferred choice over pseudo-Darkleech and EITest

Although redirection from campaigns such as pseudo-Darkleech and EITest have declined, exploit kits continued to stay afloat using another effective redirection method, malicious advertisements. Though the successful infection rate with exploit kits is low these days as attackers continue to move to email as an infection vector, even one successful infection with a threat such as WannaCry (Ransom.Wannacry) could wreak havoc due to the malware’s ability to spread rapidly. Exploit kits, for the time being at least, remain a force to be reckoned with in the security threat landscape.

Protection

Symantec customers are proactively protected against these campaigns through the following Intrusion Prevention System (IPS) definitions:

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

06-30-2017 01:02 PM

Great article Found this in other page

Chain of events

Successful infections by the pseudo-Darkleech campaign have generally followed a set sequence of events. This happens regardless of the EK used or the payload delivered. The sequence is:

  • Step 1: Victim host views a compromised website with malicious injected script.
  • Step 2: The injected script generates an HTTP request for an EK landing page.
  • Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications.
  • Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player).
  • Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process.
  • Step 6: The victim’s host is infected by the malware payload.

06-23-2017 08:58 AM

Good information - thanks.

06-12-2017 09:45 AM

We really need to look at shifting from email to another communication method since attackers are moving more and more to this method.

It appears to me that email is not effective as it used to be.  I get 100s of emails daily that are from newsletters, spam, malicious intent etc. and I don't take the time to parse it all so usually it just gets purged.

Email for the business world is highly utilized and this is why attackers keep targetting it but what if we take that away? 

 

06-08-2017 09:26 AM

Great article @Symantec!

When having end users that are not highly educated on how to safely search the web, this is something that happens often (especially in my environment).  If an end user sees that looks even some what legitimate (because of a sites/pop-ups icon looking like Google or something), then they will click it...That's why it's important to try and educate end users and have the right protection (IPS) to protect against it; having a decent proxy works too.  :)

06-08-2017 08:58 AM

we just all need to become as witty as them in order to thwart furture attempts.  You have to think like them and anticipate all these possible attach vectors.

End user education is the next best thing.

 

Very good detailed article.

Thanks symantec

06-07-2017 01:18 PM

Makes the user of virtual machines which are reset after each usage a logical tool to adopt on a regular basis.

With the number of IOT devices with minimal security appearing in homes, the problem will only get worse.

06-06-2017 05:26 PM

I used to click on the links in spam emails to see what the latest scams were until we got a cryptolocker virus at work from a legitimate work related website that sailed through three up-to-date top tier virus scanners.

Outlook catches these well and redirects them to junk without formatting so I can see the URL, which is often a compromised legitimate site. Is there any way to report these?

06-06-2017 03:51 PM

This is bad for businesses with so many people behind a content server. Attacker just needs one popped proxy to own many more hosts behind it. The decline could be that they have the infection spread they want for a certain purpose. They probably run them in small batches to avoid detection.

06-06-2017 02:51 PM

Users have to be careful what they click on because they never know where they will be redirected to. These kits are cheap and easy to implement for ten most part.

Related Entries and Links

No Related Resource entered.