Exploit kits used to be one of the most common methods of distributing malware, although their use has dwindled to a fraction of the level seen in 2016. That said, there has recently been an uptick in the use of exploit kits and multiple threat actors are conducting campaigns to deliver malware payloads.
An exploit kit is malicious code that incorporates exploits for one or more vulnerabilities. When a visitor arrives on a website hosting an exploit kit, their computer is scanned for vulnerabilities and if one that is being targeted, the exploit is executed and a malicious payload such as a banking Trojan, keylogger, or ransomware is silently downloaded.
Exploit kits are loaded onto websites under the control of the attackers, which can be their own domains or a legitimate site that has been compromised. Traffic is usually sent to the exploit kit through malicious adverts on third-party ad networks (malvertising). These ad networks are used by many websites for adding revenue-generating third party adverts.
According to research conducted by Malwarebytes, a campaign is being conducted using the Fallout exploit kit to deliver the Racoon Stealer, with the EK loaded onto popular adult websites. The campaign was reported to the ad network and the malicious advert was removed, only to be replaced with an advert directing visitors to a site hosting the Rig exploit kit.
Another campaign was identified involving a different threat actor who is known to have targeted various adult ad networks. The malicious adverts were displayed on a wide range of different adult websites, including one of the most popular adult websites that generates more than 1 billion page views a month.
The threat actor had submitted bids for users of Internet Explorer only, as the exploit kit contained an exploit for an unpatched IE vulnerability. The vulnerabilities exploited were CVE-2019-0752 and CVE-2018-15982, the former is an IE vulnerability and the latter is a vulnerability in Adobe Flash Player. In this campaign, Smoke Loader malware was delivered, along with Racoon Stealer and ZLoader.
For an exploit kit to work, a computer must have an unpatched vulnerability, an exploit for which must be included in the EK. Prompt patching is therefore one of the best ways of ensuring that these attacks are not successful. It is also strongly advisable to stop using Internet Explorer and Flash Player. Vulnerabilities in each are frequently targeted.
These campaigns can also easily be blocked by using a web filter. Unless your business operates in the adult entertainment sector, access to adult content on work devices should be blocked. A web filter allows your business to block access to all adult websites, and other categories of web content that employees should not be accessing in the workplace.
A cloud-based web filter such as WebTitan is a low cost solution that can protect against a web-based attacks such as exploit kits and drive-by malware downloads, while also helping businesses to improve productivity by preventing employees from visiting websites that have no work purpose. Web filters can also reduce legal liability by preventing employees from engaging in illegal online activities, such as copyright infringing file downloads.
Once implemented – a process that takes a few minutes – access to certain categories of website can be blocked with the click of a mouse and employees will be prevented from accessing websites known to harbor malware, phishing kits, and other potentially malicious websites.
For further information on WebTitan and protecting your business from web-based threats, give the TitanHQ team a call today.