Article by Rick Holland, VP Strategy at Digital Shadows
Exploit kit activity is waning. Collectively these malware distribution tools used to be a prominent method of infection. They rely on compromised websites, malicious adverts and social engineering to direct web traffic to their landing pages and attempt the exploitation of vulnerable software.
Operated by various actors and groups, exploit kits possess different features, use various exploits and distribute different malware to victims. Since June 2016 at least four of the major players in this area ceased to be active. In this blog, I wanted to explore which exploit kits are still around and propose some plausible scenarios for the future of the exploit kit landscape.
Before we look at the active kits, let’s take a moment to remember those that have gone on to greener pastures (at least for now, some kits have a habit of rising from the dead). Note I’ve only referenced the major players from the last two years in this section:
Despite these disappearances, the exploit kit landscape still represents a threat. Using mentions of exploit kits across social media and blogs that have been made by security researchers, we can formulate an indication of how active each exploit kit actually is. In the graph below, we can see that the RIG exploit kit has been mentioned most frequently from June until the time of writing; indicating it is likely to be the most prominent. All of the other kits shown in the graph, with the exception of Neutrino, still had some activity associated with them which showed they were still being deployed in the wild. Nevertheless, the rate at which they were detected and reported by researchers suggested they were likely less prevalent overall.
Researcher mentions of exploit kit detections on social media and blog sites could provide reasonable insight into levels of exploit kit activity. Considering the findings, we assess it is highly likely the threat posed by EKs is less overall to what it was in June of 2016, and even the start of 2017. However, some exploit kits remain active and depending on the number of operators using them or the scale of the campaigns, the threat still remains. Exploit kits typically rely on out-of-date browsers, or browser plugins, therefore the primary mitigation for this threat is to ensure patches are implemented as soon as possible. In particular, exploit kit authors favor remote code execution exploits; our previous analysis of exploit kit payloads demonstrates this.
The reasons for these disappearances were unconfirmed in most cases, but at least one EK developer was reported to have claimed it was no longer profitable.
There were a number of other possible alternatives for this overall decline, including law enforcement action or the relatively resource intensive nature of exploit kit operations. Running these operations can be laborious:
Furthermore, exploit kit operators contend with advert blockers, software updates and blacklists which all degrade the rates of successful exploitation. All of these factors suggest a realistic possibility that exploit kit developers or operators no longer consider them to be profitable. At a time when spam phishing campaigns were frequently used to distribute ransomware, a demonstrably lucrative type of malware, distributing malware via exploit kits is almost certainly highly resource intensive by comparison. We’ve recently seen actors experimenting with malware propagation within internal networks, shown by the TrickBot and Emotet banking trojans, which represents another method of spreading malware to multiple devices.
Based on the exploit kit trends we have observed over the last year, it is a realistic possibility that these tools will continue to be used less frequently as part of malware distribution in the long term. The use of large quantities of phishing emails containing document attachments with embedded scripts to download malware has been proven to be highly popular and successful in the least year. Therefore, threat actors could possibly move from exploit kits to malware distribution using this type of methods. However, there are multiple scenarios to consider:
Scenarios are useful because they provide us with indicators to look for when examining threat landscapes. While it’s not always possible to say with full confidence how the future might look, the thought exercise itself can be useful. Despite these potential scenarios, exploit kits will almost certainly continue to remain a threat in the immediate future.