Analyzing the monthly encounters of Exploit Kit in 2016, Microsoft has said that they pose a major threat to the PCs running unpatched software. The past year saw attackers using exploit kits to inflict some of the most prominent threats to the victim’s PC, from Malvertising to Ransomware.
Once executed, the exploit kit collects information on the victim PC, finds vulnerabilities, determines the perfect exploit, and delivers the exploit, which typically silently drive-by downloads and executes malware files.
Exploit Kits continue to evolve
Exploit kits have been used for more than a decade and don’t be surprised to know that Kits continue to include exploitation of vulnerabilities that were patched years back. The reason being, that there is still a significant population of unpatched machines.
Another factor that has contributed to the ever growing usage of Exploit kits is that they are easily obtained from underground Cybercriminal markets who are continuously engaged in integrating new exploits in order to find more weaknesses in PCs
The first half of the year 2016 saw a major upsurge in Exploit kit infections with Axpergle (also known as Angler exploit kit) infecting around 100,000 machines monthly. This Exploit kit delivers the 32- and 64-bit versions of Bedep, a backdoor that also downloads more complex and more dangerous malware, such as the information stealers Ursnif and Fareit.
Eventually, with the arrest of 50 hackers in Russia, Axpergle died (refer below image) but Cybercriminals came back with other alternatives.
Neutrino exploit kit took from where Axpergle left and was equally devastating until September 2016 after which it went into “private” mode, choosing to cater to select Cybercriminal groups.
Then came, Meadgive (also known as RIG exploit kit), that has been primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file. Although in low volumes Meadgive dominated the latter half of 2016.
Which countries are most infected by Exploit Kits
Such was the domination of Exploit kits that it infected more than 200 countries in 2016. Here is a list of most affected countries with the US most targeted.
- United States
- Canada
- Japan
- United Kingdom
- France
- Italy
- Germany
- Taiwan
- Spain
- Republic of Korea
Ransomware distributed via Exploit kits
With Exploit kit finding success, it was the just time that attackers used them for spreading Ransomware. In December 2016, Microsoft found proofs of new Cerber Ransomware versions being delivered through a Meadgive exploit kit campaign.
Microsoft further states on the Technet blog,
“Neutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, Locky also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we’re seeing Locky being distributed more and more through spam campaigns”.
Here is a list of targeted products which have been on Exploit kits radar,
Major exploits used by exploit kits
| Exploit | Targeted Product | Exploit kit | Date patched | Date first seen in exploit kit |
| CVE-2014-6332 | Microsoft Internet Explorer (OLE) | NeutrinoEK | November 11, 2014 (MS14-064) |
November 19, 2014 |
| CVE-2015-8651 | Adobe Flash | Axpergle, NeutrinoEK, Meadgive, SteganoEK | December 28, 2015 (APSB16-01) |
December 28, 2015 |
| CVE-2016-0189 | Microsoft Internet Explorer | NeutrinoEK | May 10, 2016 (MS16-051) |
July 14, 2016 |
| CVE-2016-1019 | Adobe Flash | Pangimop, NeutrinoEK | April 7, 2016 (ASPB16-10) |
April 2, 2016 (zero-day) |
| CVE-2016-4117 | Adobe Flash | NeutrinoEK | May 12, 2016 (ASPB16-15) |
May 21, 2016 |
How to stay safe from Exploit Kits
To prevent or minimize the effect of Exploit kits, keep browsers and other software up-to-date. Do not install software from unknown sources and avoid clicking on emails which look unfamiliar.
