Cybercrime was once the domain of a tiny handful of people with excellent technical skills who leveraged their abilities for malicious acts. However, cybercrime had grown now into a multibillion-dollar business, with threat actors profiting from the sale of malware, ransomware, and exploit kits on Dark Web forums – which is the hidden internet.
According to a survey conducted by cyber threat intelligence firm CheckPoint Research, education and research are the sectors most affected by cyberattacks in 2021, with an average of 1,605 attacks per institution per week, representing a 75% increase from 2020.
Other sectors, such as the government/military, have experienced 1,136 attacks per week in 2021, an increase of 47% from 2020. Also, the communication industry has seen 1,079 cyberattacks per week, jumping 51% over 2020. In addition, Africa experienced the most significant number of attacks in 2021, with an average of 1,582 weekly attacks, an increase of 13% from 2020.
Exploit kits are a well-known technique for cybercriminals to attack victims’ devices since they enable covert ways to breach systems via automated software. It can be sold for thousands of dollars on underground hacker forums.
Cybercriminals initially target users through initial infection vectors such as malvertising and spam emails. When users click on the malicious link, they are routed to hijacked websites or custom-built pages. Next, they are embedded with exploit kits that exploit known flaws that drop harmful software such as trojans, ransomware, and other malware on victims’ PCs successful exploitation.
Exploit kits were developed to enable threat actors to automate a sequence of procedures that lead to the delivery of malware payloads to vulnerable devices while accessing the web.
Exploit-kit-as-a-Service is a SaaS (Software as a Service) business model that allows people with less technical knowledge to buy and rent pre-developed exploit kits. This kit can compromise vulnerable systems, increase the attackers’ income, and increase the malware infection rate.
The following factors have made it freely available in underground hacker forums to all users.
Image:
Workflow of Exploit Kits
Angler exploit kits were initially identified in 2013 and have quickly become one of the most prominent exploit kits used in cyberattacks due to their unique methods in spreading ransomware variants, including UmbreCrypt, Kovter, TorrentLocker, CryptoWall, and TeslaCrypt.
Furthermore, the Angler exploit kit used to be one of the few exploit kits that allowed fileless infections. As a result, the malware was never executed on the HDD and lived in memory to avoid detection.
Fallout EK was launched on September 7, 2018, by “FalloutEK,” a member of the Russian-language underground hacker community, and was initially advertised on hacker sites for $50 per day, $250 per week, or $900 per month, before being raised to $400 per week or $1,300 per month. FalloutEK is also known to collaborate with other ransomware partners who promote the sale of exploit kits, such as GandGrab, Maze Locker, Kraken Cryptor, Matrix, and Minotaur.
Fallout EK restricts its clients to 25 and hosts the instance on a different server for each client as an extra layer of security to monitor organizations’ activity using unique, personalized shellcode. Egypt, Japan, South Korea, Pakistan, India, Philippines, Morocco, Algeria, Indonesia, Turkey, and Iraq were the primary targets of this exploit kit.
On June 18, 2014, “TakeThat,” a Russian-speaking member of hacker forums such as Verified, Club2CRD, and Exploit, posted a sales thread for the RIG Exploit Kit (RIGEK). He rented it on dark web forums for $50 per day, $200 per week, or $700 per month, which distributed several ransomware variants such as CryptoShield, BartCrypt, Princess Locker, YafunnLocker, and more. In addition, this RIG Exploit Kit was used to spread different malware in campaigns such as Pitty Tiger, FormBook, Afraidgate, DragonFly, Deep Panda, and ProMediads, and the RIG Exploit Kit exploited several vulnerabilities.
The Neutrino Exploit Kit, used in CryptoWall and CryptXXX ransomware operations and ShadowGate, Afraidgate, and ProMediads campaigns, was observed in 2012 was available for hire at $40 per day or $450 per month. Furthermore, in 2015, this exploit kit was used in landing pages that exploited Flash Player vulnerabilities to install CryptoWall 3.0 ransomware on victims’ systems which affected the computers by exploiting several system software vulnerabilities.
The Phoenix Exploit Kit, first discovered in 2007, was responsible for most Web-based attack activity in 2010. It was closely associated with ransomware groups such as AnteFrigus, CryptFIle2, CryptoShield, BartCrypt, YafunnLocker, Spora, and FessLeak in Pitty Tiger, FormBook, Afraidgate, DragonFly, Deep Panda, and ProMediads.
Exploit kits are more complex tools that contain many exploits and are designed to automatically exploit vulnerabilities on victims’ PCs while they surf the web. Since they are highly automated and adaptive, they have become one of hackers’ preferred strategies for large-scale malware and ransomware distribution. Because of its adaptability, ease of use, and low cost, any inexperienced user may employ it to conduct malicious operations.
Author,
Abhishek Hiremath,
Associate – Managed SOC [ L1 ],
SOCGTM Department,
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…