The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing.
Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware.
Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits.
If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device.
In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat.
The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated.
However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update.
Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which can be a challenge for businesses. Additional security solutions on endpoints can help to prevent malware downloads, although many are unable to detect or block fileless malware.
One of the best security solutions to deploy is a web filter capable of scanning the URL to prevent end users from landing on websites that are known to host exploit kits. Web filters can also be configured to block malicious adverts.
By preventing users from visiting known malicious sites, the threat from exploit kits can be significantly reduced.