Malvertising redirecting victims to exploit kits
Malvertising redirecting victims to exploit kits

Although there's been a drop in the activity of exploit kits (EK), threat actors have adapted by redirecting unwitting victims to exploit kit servers, according to a post on the Symantec blog.

As outlined by Siddhesh Chandrayan, an associate threat analysis engineer at Symantec, with the shutdown of Angler and Nuclear dampening the use of EKs, interest has shifted to redirection mechanisms which, he says, has remained a "popular and effective" technique. He examines two of the more popular campaigns – pseudo-Darkleech and EITest.

The pseudo-Darkleech redirection strategy involves infecting websites via vulnerabilities in a content management system to load a conditional redirection script on pages connected to the site. While those affected depends on such factors as geolocation, the redirection script could either be a simple iFrame injection or one that is disguised. However, they all do the same thing: hijack visitors to the legitimate website and send them to an EK.

This scourge has been around in various iterations since 2012, Chandrayan said, redirecting unsuspecting web visitors to the Angler EK. But, following the shutdown of Angler, in the second half of 2016 the pseudo-Darkleech campaign began sending visitors to the Neutrino EK. A shift in Neutrino's distribution model prompted the action to shift to the RIG EK.

The point, Chandrayan explained, is that while various EKs vanished or became more selective about who they'd deal with, the redirection campaigns continued…until recently.

In the past month, his Symantec team has detected a drop-off in the use of pseudo-Darkleech redirections to exploit kits. Whether this signals the end of the campaign, the researchers could only speculate, proposing that the bad actors could still return after further adjustments to their coding.

At the same time, the EITest campaign has also been a go-to source for exploit kit redirections. This tool, similar to pseudo-Darkleech, began life with Angler and then moved on to RIG. To redirect visitors to exploit kit servers, it employed a Flash file to fingerprint its victims or injected an iFrame into a compromised website.

But, in the first half of 2017, the miscreants behind the EITest campaign started social engineering attacks to go after primarily users of Google's Chrome browser.

Its strategy was to render a compromised web page unreadable while a pop-up appears prompting users to download a font file to make the page readable. Of course, that is a method to inject malware, Chandrayan explained.

These social engineering ploys have been increasing in activity, he said. However, their redirects to EKs has been dipping.

The implication is that it may indicate a shift from exploit kits to social engineering for this campaign. "In the face of low infection rates from exploit kits and the lack of new browser or browser plugin exploits, this seems to be the most plausible explanation," he wrote.

But, despite the decline in redirection campaigns, this does not mean that EK activity is also on the decline, he added. Telemetry from Symantec's research indicates a rising trend in "malvertisement redirections to various exploit kits such as RIG, with a decline in older campaigns such as pseudo-Darkleech and EITest."

With such malware as WannaCry entering the landscape, the threat from infection remains high and the use of exploit kits "for the time being at least remain a force to be reckoned with in the security threat landscape."

The attackers are mostly looking to increase their number of victims, Chandrayan told SC Media on Wednesday. "Malvertising has the potential to bring in a lot of unsuspecting victims to exploit kit servers, as even visitors to popular websites can be turned into victims," he said. 

For redirection through compromised websites to bring in these huge numbers, it is necessary that the compromised website has a lot of visitors, he added. That is, the polluted site needs to be a high-ranking website. Also, he pointed out, malvertising is difficult to analyze in depth due to its complex nature. "Thus, along with a high number of victims, attackers are also able to make security analysis tougher." So, he explained, attackers are looking at maximizing their revenues with the limited resources at hand.

The decline in exploit kit redirection campaigns possibly indicates ongoing background work being done by attackers to bounce back with advanced versions in the future, Chandrayan told SC. "Also, as with social engineering used by EITest, an attempt to increase the infection rates via other means such as social engineering, tech support scams etc. is also being tried out.”