It has been a busy couple of months for the web’s most notorious exploit kits (EKs). Back in September, researchers detected a ransomware attack that leveraged outdated content management systems (CMS) in order to redirect user traffic to malicious domains infected with the Neutrino exploit kit and Teslacrypt ransomware.
Another ransomware attack showed up on researchers’ radar a few months later, this time involving the Angler exploit kit and Cryptowall 4.0. With this level of activity in mind, it is no wonder that Neutrino and RIG, another exploit kit, rang in 2016 by incorporating some new tactics, payloads and servers into their attacks.
As the campaigns discussed above might suggest, exploit kits are a significant force behind the rise of computer crime. This threat is at least partially due to the fact that exploit kits are no longer bound to individual criminals. Instead, an emerging crimeware-as-a-service model now allows individuals with low technical expertise to buy and rent Angler, Neutrino, RIG and others.
Undoubtedly, such dealings contribute to exploit kits’ activity, which has increased over the past few years and will likely continue to grow for years to come.
If we are to confront the ongoing threat posed by exploit kits, it is important for us to understand the exploit kits-as-a-service model in greater detail. Heimdal Security recently published a blog post exploring why this model has emerged.
The answer ultimately comes down to four contributing factors:
Factor #1: Ease of Use
One of the central selling points of an exploit kit-as-a-service package is its ease of use. Everything comes pre-coded, and customers can use a built-in dashboard with user-friendly web interfaces to tweak an attack campaign to fit their needs.
In some cases, if users are really struggling, they have the option of contacting a technical support representative, who can assist them with configuring the kit and/or unlocking more advanced features.
Factor #2: Cheapness, Cost-Efficiency, and “Cha-Ching”
Another key factor behind the rise of the exploit kits-as-a-service model is the way individual packages are marketed. Most kits are available both for purchase and for rent, thereby fitting into the budget of almost any computer criminal. Additionally, they are designed to provide a steady flow of traffic to an infected site.
This ensures that customers can expect to receive a high return on their investment, especially if they go with one of the more notorious contenders in the field, such as Angler or Neutrino. Finally, many packages offer pay-per-install plans, in which customers need to pay only for each successful malware infection caused by the kit.
Factor #3: Flexibility
Exploit kits-as-a-service packages also offer computer criminals flexibility when it comes to fitting the needs of a particular attack campaign. Indeed, most kits come with multiple configurations and add-ons, a customizability which is complemented by the fact that attackers can use their own malware as the attack’s main payload.
Customers, therefore, have the option of using an exploit kit to lock victims out of their computers (via ransomware), harvest credentials (via banking trojans), enlist infected machines into a botnet, or conduct targeted attacks.
All of this is made possible by a built-in list of vulnerabilities found in web browsers, Adobe Flash, and other programs that each kit is capable of exploiting.
Factor #4: Stealth
Exploit kits-as-a-package mean little if they expose the operator. With that in mind, most kits integrate various methods to evade detection by traditional antivirus software. These include the use of polymorphic droppers, or a piece of code by which malware is installed on the victim’s computer that changes daily, and Bitcoins as a form of payment in ransomware-based attacks.
Given their ease of use, marketing benefits, flexibility and stealth, it’s safe to say exploit kits-as-a-service will continue to appeal to computer criminals well into the future.
With this in mind, it is important that ordinary users protect themselves against these threats by implementing software patches whenever they become available, maintaining an updated antivirus solution on their machines, and exercising caution around suspicious links.
Title image courtesy of ShutterStock