The new Capesand exploit kit, possibly derived from an older EK, has been found being used to take advantage of Internet Explorer and Adobe Flash vulnerabilities.
Trend Micro’s Elliot Cao, Joseph C. Chen and William Gamazo Sanchez came across Capesand while tracking a campaign that was using the Rig EK to DarkRAT and njRAT malware. During this process the trio saw the malicious actors had switched from Rig to a new and unfamiliar type. Further digging found the EK’s control panel, one with the name Capesand and they realized it was directly providing the source code for the EK.
“The Capesand exploit kit’s code is quite simple compared with other kits. Almost all of Capesand‘s functions reuse open-source code, including the exploits, obfuscation, and packing techniques. Further monitoring revealed that its users are actively using it despite its seemingly unfinished state, the researchers wrote.
One clue leading the investigators to believe Capesand is derivative in some way was its source code which was found to have many similarities with an older EK named Demon Hunter. The updated Demon Hunter source code can exploit newer vulnerabilities, including, but not limited to, the Adobe Flash flaw CVE-2018-4878 and CVE-2018-8174 and CVE-2019-0752 affecting Microsoft Internet Explorer
The EK is deployed through a malvertisement fronted by a blog written about blockchain. Once the victim clicks on the ad Capesand sends a request to the API of the its server and requests the exploit payload. The request asks for the exploit name, exploit URL in configuration, the victim’s IP address and browser user-agent.
“After successful exploitation via Capesand, the first stage will download mess.exe and attempt to exploit CVE-2018-8120 to escalate privileges and then execute njcrypt.exe. The njcrypt binary is a multilayer obfuscated .NET application where the obfuscation is done using publicly known tools,” the report stated.
The researchers believe Capesand is still being developed and is evolving in a direction that may allow it to distribute malicious landing pages through mirrored versions of the legitimate site by using typosquatting.