Cyber criminals have long preferred automated infections (as opposed to social engineering) because they can tap into a much wider market. For that, exploit kits represent the most popular way to seamlessly infect a computer with ‘drive-by download’ attacks via malvertising or compromised websites.
Indeed, the majority of consumers and businesses have historically failed to apply security patches when vendors release them, thereby creating opportunities for those who weaponize vulnerabilities into exploits.
The exploit kit landscape is constantly changing as threat actors compete against each other to offer the best tools, containing the freshest exploits, and sometimes even ‘zero-days’ (unpatched vulnerabilities already exploited in the wild).
In June of 2016, the world watched as Angler EK, perhaps the greatest exploit kit of all time, seemingly vanished. For years it had been the top threat everybody had been tracking and despising for its constant efforts to make studying its code more difficult. The void left in the post Angler era was quickly filled by runner-up Neutrino EK but only lasted for a few months before changing hands again.
Interestingly, rather than seeing brand new contenders, we are observing variations of existing exploit kits, in particular with the leading RIG EK. There is no doubt the loss of Angler has had a profound impact and left a technical gap that has yet to be bridged. Many interconnecting parts (including funding) have to come together for exploit kits to be the ultimate infection weapon. Yet, we also see criminals simply ripping off what the competition is doing. Why reinvent the wheel when the same old exploits have been proven to work time and time again?
Having said that, we are bound to see the emergence of a more advanced exploit kit; the advantages demonstrated by Angler are simply too great to ignore.