Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

guest · Nov 26, 2019

Exploit kits: fall 2019 review
November 19, 2019
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/11/exploit-kits-fall-2019-review/

Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, we’re seeing new exploit kits emerge.
Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult websites.

Even though the weaponized vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. This is an interesting trend that makes sample sharing more difficult and possibly increases infection rates by evading some security products.
Click to expand...

Vulnerabilties
Internet Explorer’s CVE-2018-8174 and Flash Player’s CVE-2018-15982 are the most common vulnerabilities, while the older CVE-2018-4878 (Flash) is still used by some EKs. It’s worth noting we’re seeing some exploit kits no longer using Flash, while others are relying on much older vulnerabilities. [...]
Click to expand...

Fall 2019 overview

Spelevo EK

Fallout EK

Magnitude EK

RIG EK

GrandSoft EK

Underminer EK

KaiXin EK

Purplefox EK

Capesand EK

guest · Nov 26, 2019

Exploit kits turn to fileless malware to evade security tools
November 26, 2019
https://www.scmagazineuk.com/exploit-kits-turn-fileless-malware-evade-security-tools/article/1667023

Although Internet Explorer’s market share is dropping rapidly (now around 4.9 percent of the market), the browser is still under active attack, with new EK’s being developed, according to data from Malwarebytes.

"Even though the weaponised vulnerabilities remain fairly old, we’ve observed a growing number of exploit kits go for fileless attacks instead of the more traditional method of dropping a payload on disk. [...]", said Jérôme Segura, Malwarebytes malware analyst in a blogpost.
The exploit kits relying on this fileless include Magnitude, Underminer, and Purple Fox.

One theory behind the continued activity in a declining market (IE browser share) is that many installs of IE are within tightly-controlled enterprise environments [...] Whatever the explanation, the threat of EK’s remains significant and an ongoing trend.

"In the past quarter, we’ve observed sustained malvertising activity and a diversity of malware payloads served. We can probably expect this trend to continue and perhaps even see new frameworks pop up. Even if it remains remote, we can’t discard the possibility of an exploit kit targeting one of the newer browsers", summarised Segura.
Click to expand...

Minimalist · Jun 24, 2020

Magnitude exploit kit – evolution

Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open standards such as HTML5, WebGL, WebAssembly. The decline of exploit kits can be linked to the decline of Adobe Flash, but exploit kits have not disappeared completely. They have adapted and switched to target users of Internet Explorer without the latest security updates installed.
Click to expand...

https://securelist.com/magnitude-exploit-kit-evolution/

Rasheed187 · Jun 27, 2020

Minimalist said: ↑

Magnitude exploit kit – evolution

https://securelist.com/magnitude-exploit-kit-evolution/
Click to expand...

So basically exploit kits are pretty much dead, because who cares about IE. I have to say kuddos to browser developers, because sandboxes combined with ad-blockers have made it very hard to exploit modern browsers.

Rasheed187 · Oct 24, 2021

BTW, after quite a while, hackers are trying to exploit Chrome again via exploit-kits. Avast thinks they may eventually try to load ransomware on the system via a couple of holes in Chrome and Windows.

Of course you can use protection tools like MBAE, HMPA, OSArmor and Sandboxie against this stuff, besides your AV of course. And these particular holes are already patched, but hackers can also use zero days.

https://twitter.com/AvastThreatLabs/status/1450476708939767815

guest · Oct 24, 2021

Rasheed187 said: ↑

BTW, after quite a while, hackers are trying to exploit Chrome again via exploit-kits. Avast thinks they may eventually try to load ransomware on the system via a couple of holes in Chrome and Windows.
Click to expand...

Magnitude EK Expands Arsenal With PuzzleMaker Exploit Chain
October 20, 2021
https://www.securityweek.com/magnitude-ek-expands-arsenal-puzzlemaker-exploit-chain

Exploit kits such as Magnitude are known for expanding their arsenal with new browser or plugin exploits in a timely fashion, but for years they have mainly focused on Microsoft’s Internet Explorer and left other browsers aside.

This, however, changed when Magnitude added to its arsenal exploits for CVE-2021-21224 and CVE-2021-31956, two vulnerabilities that affect Google’s Chrome browser and Microsoft’s Windows platform, respectively.
Click to expand...

On Tuesday, Avast’s security researchers took to Twitter to raise the alarm on Magnitude now targeting the Chrome and Windows vulnerabilities in a new wave of attacks.

“The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1–20H2). Build 19043 (21H1) is not targeted. The exploit for CVE-2021-31956 contains hardcoded syscall numbers relevant just for these builds,” Avast said.
For the time being, the activity doesn’t appear to involve the use of a malicious payload, although it does lead to the victim’s Windows build number being exfiltrated.
Click to expand...

Rasheed187 · Oct 25, 2021

mood said: ↑

Magnitude EK Expands Arsenal With PuzzleMaker Exploit Chain
October 20, 2021
https://www.securityweek.com/magnitude-ek-expands-arsenal-puzzlemaker-exploit-chain
Click to expand...

Thanks, I read it on some Dutch website. But now that I think of it, would be interesting to know if they try to lure people into visiting websites, or if they try to make use of malvertising. Of course adblockers would most likely help to protect against this.

Log in or Sign up

Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

guest Guest

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Exploit kits: fall 2019 review – Exploit kits turn to fileless malware to evade security tools

guest Guest

guest Guest

Minimalist Registered Member

Rasheed187 Registered Member

Rasheed187 Registered Member

guest Guest

Rasheed187 Registered Member

Useful Searches