There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed.

Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery

Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future.

However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching.

Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash.

One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit.

For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices.

While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect.

According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and the infected device is rebooted.

EITest Malware Distribution Network Disrupted

There has been some major good news on the exploit kit front this week with the announcement that the EITest malware distribution network has finally been sinkholed. EITest has been active since at least 2011 and has been used to distribute all manner of malware over the years.

EITest was a major distribution network responsible for countless Kronos, Ramnit, DarkCloud and Gootkit infections, although more recently was used to deliver ransomware variants such as CryptXXX and Cerber and send users to sites running social engineering and tech support scams.

Prior to being sinkholed, EITest was redirecting as many as 2 million users a day to a network of more than 52,000 compromised websites that had been loaded with exploit kit code and social engineering scams. Most of the compromised sites were WordPress sites based in the USA, China, and Ukraine.

The threat actors behind EITest were selling traffic to other actors in blocks of between 50,000 and 70,000 visitors at a cost of $20 per thousand.

Over a 20-day period since EITest was sinkholed, more than 44 million users were directed to the sinkhole rather than malicious websites.

Now all redirects to malicious websites have stopped. The compromised websites remain active, but rather than redirecting users to malicious domains they are directing traffic to benign domains controlled by abuse.ch and brilliantit.com.