Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

mood · Nov 26, 2019

Exploit kits: fall 2019 review
November 19, 2019
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/

Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, we’re seeing new exploit kits emerge.
Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult websites.

Even though the weaponized vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. This is an interesting trend that makes sample sharing more difficult and possibly increases infection rates by evading some security products.
Click to expand...

Vulnerabilties
Internet Explorer’s CVE-2018-8174 and Flash Player’s CVE-2018-15982 are the most common vulnerabilities, while the older CVE-2018-4878 (Flash) is still used by some EKs. It’s worth noting we’re seeing some exploit kits no longer using Flash, while others are relying on much older vulnerabilities. [...]
Click to expand...

Fall 2019 overview

Spelevo EK

Fallout EK

Magnitude EK

RIG EK

GrandSoft EK

Underminer EK

KaiXin EK

Purplefox EK

Capesand EK

mood · Nov 26, 2019

Exploit kits turn to fileless malware to evade security tools
November 26, 2019
https://www.scmagazineuk.com/exploit-kits-turn-fileless-malware-evade-security-tools/article/1667023

Although Internet Explorer’s market share is dropping rapidly (now around 4.9 percent of the market), the browser is still under active attack, with new EK’s being developed, according to data from Malwarebytes.

"Even though the weaponised vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. [...]", said Jérôme Segura, Malwarebytes malware analyst in a blogpost.
The exploit kits relying on this fileless include Magnitude, Underminer, and Purple Fox.

One theory behind the continued activity in a declining market (IE browser share) is that many installs of IE are within tightly-controlled enterprise environments [...] Whatever the explanation, the threat of EK’s remains significant and an ongoing trend.

"In the past quarter, we’ve observed sustained malvertising activity and a diversity of malware payloads served. We can probably expect this trend to continue and perhaps even see new frameworks pop up. Even if it remains remote, we can’t discard the possibility of an exploit kit targeting one of the newer browsers", summarised Segura.
Click to expand...

Minimalist · Jun 24, 2020

Magnitude exploit kit – evolution

Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open standards such as HTML5, WebGL, WebAssembly. The decline of exploit kits can be linked to the decline of Adobe Flash, but exploit kits have not disappeared completely. They have adapted and switched to target users of Internet Explorer without the latest security updates installed.
Click to expand...

https://securelist.com/magnitude-exploit-kit-evolution/

Rasheed187 · Jun 27, 2020

Minimalist said: ↑

Magnitude exploit kit – evolution

https://securelist.com/magnitude-exploit-kit-evolution/
Click to expand...

So basically exploit kits are pretty much dead, because who cares about IE. I have to say kuddos to browser developers, because sandboxes combined with ad-blockers have made it very hard to exploit modern browsers.

Log in or Sign up

Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

mood Updates Team

mood Updates Team

Minimalist Registered Member

Rasheed187 Registered Member

AcidBox Malware Uncovered Using Repurposed VirtualBox Exploit

Underground market of phishing kits is booming, prices skyrocketed in 2019 by 149%

Cybercriminals now using malware and adware to exploit virtual meeting apps

February 2020’s Most Wanted Malware: Increase in Exploits Spreading the Mirai Botnet to IoT Devices

Malicious files evading email security products

Log in or Sign up

Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

mood Updates Team

mood Updates Team

Minimalist Registered Member

Rasheed187 Registered Member

AcidBox Malware Uncovered Using Repurposed VirtualBox Exploit

Underground market of phishing kits is booming, prices skyrocketed in 2019 by 149%

Cybercriminals now using malware and adware to exploit virtual meeting apps

February 2020’s Most Wanted Malware: Increase in Exploits Spreading the Mirai Botnet to IoT Devices

Malicious files evading email security products

Useful Searches