Exploit kits are continually evolving, says a new report.
Exploit kits are continually evolving, says a new report.

Exploit kits come and go, but most of today's malicious packages are variants of previous iterations, according to a fall roundup by Malwarebytes Labs.

The report from the Santa Clara, Calif.-based internet security company provides details on the current crop of malware disseminators. The snapshot, assembled from traffic captures observed on the firm's honeypot and through its own telemetry, singles out six packages – RIG-v, RIG, Sundown, Bizarro Sundown, Magnitude and Neutrino-v. The company's conclusion: Exploit kits are continually evolving.

The profile kicks off with a look at RIG-v, the VIP version of RIG EK, which was first detected in September bearing similarities to Neutrino. The package has been observed being distributed via the Afraidgate and pseudoDarkleech campaigns.

What set this particular scourge apart from its predecessor was the introduction of new URL patterns, the researchers found. These were eventually incorporated into the older version, although the VIP version's landing page remains unique with its use of unicode characters.

In the last few months, owing to major distribution networks aided by the infection of purloined websites and malvertising, RIG EK has been a prominent package, the report found. The kit rose to the top bumping Neutrino from its number one spot. It's activity has subsided a bit lately, but it remains active.

While the Sundown EK appears to be targeting only certain regions, its unique characteristic is that it grabs code from other kits and continually customizes its URL structure and flow. The coders behind the kit seem to be tweaking their product in response to feedback from researchers who in examining the code point out flaws, Malwarebytes found.

A recent entry, the Bizarro Sundown EK, looks a lot like Sundown. It's distributed via the WordsJS campaign but its geographic range has so far been limited.

Activity of the Magnitude EK, used in a number of malvertising attacks, has slowed. However, its delivery of Cerber ransomware continues, albeit pointed at particular regions. The researchers were struck by the code's use of fingerprinting techniques.

The report finishes up with a look at Neutrino-v, a fresh iteration of Neutrino, which vanished in September. The kit, observed in malvertising attacks embedded into adult websites, impressed the researchers owing to its improved obfuscation (anti-debuggers) and fingerprinting code.