Exploit kits: winter 2019 review

Active malvertising campaigns in December and the new year have kept exploit kit activity from hibernating in winter 2019. We mostly observed Fallout and RIG with the occasional, limited GrandSoft appearance for wider geo-targeting.
In addition, narrowly-focused exploit kits such as Magnitude, Underminer, and GreenFlash Sundown stayed on the same track: delivering ransomware to mostly Asian countries, and South Korea in particular.
Winter 2019 overview
Fallout EK
RIG EK
GrandSoft EK
Magnitude EK
Underminer EK
GreenFlash Sundown EK
Internet Explorer’s CVE-2018-8174 and Flash’s CVE-2018-4878 continue to be the most common vulnerabilities across the board, even though a couple exploit kits have now integrated the newer Flash CVE-2018-15982.
Fallout EK
Fallout keeps bringing fresh air into an otherwise stale atmosphere by introducing new features and even adopting newer vulnerabilities. It also appears to be a good experimental framework for some actors who have customized the payload delivery. Fallout was the second exploit kit to add CVE-2018-15982, a more recent vulnerability for the Flash Player.

RIG EK
Good old RIG is still kicking around, but has taken a back seat to the newer Fallout in many of the malvertising chains we track, except perhaps for Fobos. There haven’t been any notable changes to report since we last reviewed it.

Spy Wrist Watch 32GB Mini Hidden Camera Record Video Audio DVR DV Camcorder US

$28.27
End Date: Friday Sep-27-2019 15:18:16 PDT
Buy It Now for only: $28.27
Buy It Now | Add to watch list

[2-Pack] iPhone X XS XR XS Max Privacy Anti-Spy Tempered Glass Screen Protector

$4.45
End Date: Saturday Sep-21-2019 3:29:19 PDT
Buy It Now for only: $4.45
Buy It Now | Add to watch list

GrandSoft EK
GrandSoft and its Ramnit payload still go hand-in-hand via limited distribution tied to compromised websites. It is perhaps one of the least sophisticated exploit kits on the market right now.

Magnitude EK
Meanwhile, Magnitude EK is active and served up via malvertising chains, with a focus on some APAC countries like South Korea. Magnitude continues to deliver its fileless Magniber ransomware payload.

Underminer EK
Underminer’s over-the-top encryption schemes to hide its exploits are keeping us researchers honest when trying to identify exactly what is under the hood. It’s worth noting that only a few days after the Flash zero-day and Proof of Concept (PoC) had been published (CVE-2018-15982), Underminer was already implementing it.

GreenFlash Sundown EK
Also a geo-specific exploit kit, GreenFlash Sundown has been delivering various breeds of ransomware to targets in Asia. In our latest capture, we saw it drop the Seon ransomware on South Korean users.

Mitigation
While timely patching and avoidance of Internet Explorer as a web browser would offer protection against the above-mentioned exploit kits, the reality is that many users (especially in corporate environments) are still trailing behind. In addition, while IE is being phased out in North America, it’s still highly adopted in Asian countries—which explains why they are currently being targeted.
Malwarebytes’ anti-exploit technology blocks each of these exploit kits—Fallout, RIG, GrandSoft, Magnitude, Underminer, and GreenFlash Sundown—before they even have a chance to drop their payload.

As we move further into 2019, we can say that exploit kits, while nowhere near their peak activity in 2017, are still hanging on, being used primarily in malvertising distribution campaigns. In terms of global activity, Fallout is leading the charge, providing the most diverse campaigns and payloads. Meanwhile, the Asia-specific EKs are for the most part continuing on with their usual pattern of driving innovation (to a degree) and distributing ransomware.
The post Exploit kits: winter 2019 review appeared first on Malwarebytes Labs.





Click here for best antivirus and antispyware software

Powered by WPeMatico