Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

mood · Nov 26, 2019

Exploit kits: fall 2019 review
November 19, 2019
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/

Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, we’re seeing new exploit kits emerge.
Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult websites.

Even though the weaponized vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. This is an interesting trend that makes sample sharing more difficult and possibly increases infection rates by evading some security products.
Click to expand...

Vulnerabilties
Internet Explorer’s CVE-2018-8174 and Flash Player’s CVE-2018-15982 are the most common vulnerabilities, while the older CVE-2018-4878 (Flash) is still used by some EKs. It’s worth noting we’re seeing some exploit kits no longer using Flash, while others are relying on much older vulnerabilities. [...]
Click to expand...

Fall 2019 overview

Spelevo EK

Fallout EK

Magnitude EK

RIG EK

GrandSoft EK

Underminer EK

KaiXin EK

Purplefox EK

Capesand EK

mood · Nov 26, 2019

Exploit kits turn to fileless malware to evade security tools
November 26, 2019
https://www.scmagazineuk.com/exploit-kits-turn-fileless-malware-evade-security-tools/article/1667023

Although Internet Explorer’s market share is dropping rapidly (now around 4.9 percent of the market), the browser is still under active attack, with new EK’s being developed, according to data from Malwarebytes.

"Even though the weaponised vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. [...]", said Jérôme Segura, Malwarebytes malware analyst in a blogpost.
The exploit kits relying on this fileless include Magnitude, Underminer, and Purple Fox.

One theory behind the continued activity in a declining market (IE browser share) is that many installs of IE are within tightly-controlled enterprise environments [...] Whatever the explanation, the threat of EK’s remains significant and an ongoing trend.

"In the past quarter, we’ve observed sustained malvertising activity and a diversity of malware payloads served. We can probably expect this trend to continue and perhaps even see new frameworks pop up. Even if it remains remote, we can’t discard the possibility of an exploit kit targeting one of the newer browsers", summarised Segura.
Click to expand...

Log in or Sign up

Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

mood Updates Team

mood Updates Team

Exploit Kit Starts Pushing Malware Via Fake Adult Sites

Reminder: Malware Can Exploit Improper Configurations

Glimpse malware uses alternative DNS to evade detection

Legitimate TDS Platform Abused to Push Malware via Exploit Kits

‘Purple Fox’ Fileless Malware Delivered by Rig Exploit Kit Now Abuses PowerShell

Log in or Sign up

Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

mood Updates Team

mood Updates Team

Exploit Kit Starts Pushing Malware Via Fake Adult Sites

Reminder: Malware Can Exploit Improper Configurations

Glimpse malware uses alternative DNS to evade detection

Legitimate TDS Platform Abused to Push Malware via Exploit Kits

‘Purple Fox’ Fileless Malware Delivered by Rig Exploit Kit Now Abuses PowerShell

Useful Searches