How Automation is Changing Cyber Crime: Exploits as a Service

https://heimdalsecurity.com/blog/security-alert-cryptowall-4-0-new-enhanced-and-more-difficult-to-detect/If you’ve been reading this blog for a while now, you’re probably pretty much up to date with major threats and painless advice that can help you stay safe online (if you apply the advice, of course). But if this is your first time reading our blog, you may find yourself thinking: Is cybercrime really that pervasive or is this just an attempt to manipulate me into thinking it is? The question is 100% justified, especially given how often the media reports on cyber attacks as well. To answer your question: yes, cybercrime really is that widespread. And it all has to do with automation. Let’s dig a little deeper and find out more about:

1. Crimeware-as-a-Service has become available to anyone
2. Enter Exploit Kits as a Service
3. What do buyers look for in an exploit kit?
4. How much does an exploit kit cost?
5. How exploit kits spread
6. Innovations in exploit kits in 2015
7. Protect your PC against exploit kits

 

Crimeware-as-a-Service has become available to anyone

Cybercrime used to be the occupation of a limited group of people who had deep technical skills and used their abilities and know-how for malicious purposes. But that was many, many years ago. Even though the Internet is only 20 years old, a lot has happened since it became widely available. For example, in the past few years, cybercrime has developed into a big business and the malicious hackers behind it are running their ops as such. Long story short: if you have some cash on your hands and some skill (no expertise required), you can try your hand at malware attacks. Naturally, we strongly advise against any such actions. What we want is to show you:

• how attackers are changing the game by using automation to make more money
• how you’re already in the crosshairs
• and how you can improve your protection (and avoid becoming a victim).

 

Enter Exploit Kits as a Service

Quick definition: exploit kits (EKs) are programs that find flaws, weaknesses or mistakes in software apps and use them to gain access into a system or a network. The most prevalent exploit kits have the ability to download malicious files and feed your system malicious code after infiltrating it. These exploit kits are used in the first stages of a malware attack and they play a very important role in the success rate of these attacks. The better the exploit kits are, the faster and more aggressive the attacks are as well.

Here’s how exploit kits work – an example using Angler EK:

 

1. The potential victim ends up on a web page infected with Angler exploit kit or surfs a legitimate website that has infected banners in it.
2. Angler then scans the victim’s PC to find outdated software and the correlated security holes.
3. Once a backdoor is opened in the victim’s PC, the dropper is downloaded onto the system, which executes malware (in this case, ransomware).
4. As a consequence, the victim’s data is encrypted, blocking access and demanding that a ransom be paid for unlocking the data.

I bet you’ve heard or read about at least a case where ransomware hit hard and the victim had to wipe the system clean, losing the data stored on it. Here’s an example from a recent study that shows how fast the cybercriminals move:

We found more than 15,000 unique sites pushing people to the Angler exploit kit, 99.8 percent of which were used fewer than 10 times. Most of the referrers were therefore active only for a short period and were removed after a handful of users were targeted.

Source: Cisco 2016 Annual Security Report That’s why it’s important to know that exploit kits are being sold or rented like commercial products, and that makes malware infections more prevalent. And it’s no wonder that, given this context, the number of new exploit kits and their activity has increased in the past years (the figures for 2015 are not in yet): Source: TrendMicro, Evolution of Exploit Kits 2015 At this point, you may find yourself asking:

Why has this exploited kits-as-a-service model emerged?

There are a few defining factors that have made exploit kits widely available to cyber criminals of all types, experienced or rookies alike:

• • No expertise required – when someone decides to buy an exploit kit-as-a-service, they don’t need to have deep technical knowledge; that’s because the EKs come with everything pre-coded and a built-in dashboard were attackers can tweak the kit according to their needs
  • Makes exploit kits cheaper – the fact that exploits kit creators can sell the kits or rent them out had made EKs quite affordable, as you’ll see later on in this article; and when prices go down, the sales go up;
  • And more flexible – exploit kits nowadays come with plenty of options that allow the attacker to customize his attempts at infecting as many PCs as possible;

• They offer broader reach – some exploit kits even come with built-in distribution channels (cyber criminal infrastructure), which makes them more likely to generate high infection rates and, consequently, a higher return on investment for the attacker;
• You can bring your own malware – the buyer can use the exploit kit to deliver different types of malware, from banking Trojans to ransomware of all kinds;
• There are plenty of vulnerabilities to target – software makers are making it incredibly easy for exploit kit makers to spread their malicious tools; software vulnerabilities in the most used software apps have grown on almost all fronts, as you can see from the data below:

Source: Bromium Endpoint Exploitation Trends 2015

• They help you stay below the radar – successful exploit kits integrate various methods to avoid being detected by traditional antivirus, thus achieving high infection rates among the targeted victims; this means, once again, more money for EK creators and their clients;

Recommended reading to help you understand how this works: 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware [Infographic]

• You can choose between buying or renting – you can even choose between buying the EK, the more expensive version, or renting it out, which is cheaper and you only pay while it’s actively used;

Here’s one example from a few years ago, which explains how it all works in the case of renting exploit kits:

Critx might seem like just another exploit kit but it is being used in a unique way. Instead of being sold, the exploit kit is being rented or leased on its own criminal infrastructure. It is all set up with multiple IP addresses and redundancy to prevent takedowns. All a criminal would have to do is simply register a domain and point it to this infrastructure.

Source: Got Malware? Rent an Exploit Service

• They can be used in targeted attacks – because exploit kits use sophisticated mechanisms to evade detection, they are preferred vectors for cybercriminals who target specific individuals or organizations; targeted attacks usually bring in more money or data because they go execute a carefully documented plan;
• They include technical support – some exploit kits even include technical support to help those clients that don’t manage to handle the “product” on their own or want to access more advanced features;
• They use Bitcoins for payments – staying anonymous is a critical part of the job in cybercrime, so the advent of Bitcoins offered the perfect, untraceable payment method to be used in exchanges in the dark web forums and between the attacker and the victim.

Did you know that…?

The easiest hack toolkit made available in the crimeware market on record was seen sometime in 2006.

Source: TrendMicro, Evolution of Exploit Kits 2015 Imagine how much and how fast things have evolved in the past 10 years. Exploits kits can now:

• Infect a system or a network with malware (financial – Tinba, Vawtrak, ransomware – CryptoWall, Teslacrypt, Torrentlocker, data-stealing – Miuref, etc.);
• Harvest confidential data (usernames, passwords, card details, etc.) and send it to the attacker, which can then use it for extortion, to drain bank accounts and more;
• Enlist the infected system into a botnet, which is a “zombie army” of computers used to deliver additional attacks on other potential victims.

And it all happens because of a little piece of code that scans your system for outdated software.

What do buyers look for in an exploit kit?

To give you a more accurate idea of how well organized the crimeware business really is, we’ve made a list of some of the key factors that drive revenue for exploit kit creators. When shopping for an exploit kit on the underground forums, a buyer might look for one that:

• • Can bring in higher traffic to the pages infected by the exploit kit – having a steady flow of traffic to the infected landing page ensures that the buyer will see a high return on investment for his purchase;
  • Has a better hit-rate in delivering malware – more infections = more money, plain and simple;
  • Has better marketing and is renowned in the cybercriminal scene – being notorious has its perks, such as getting more sales because the kit is (in)famous (this is the case with Angler, RIG, and Neutrino);

• Has more attractive pricing – if the EK maker offers a “pay-per-install” model than the buyer will be more interested, because he’d only have to pay for the successful malware infections that the exploit kit caused;
• Includes a control panel and user-friendly web interfaces – ease of use counts when it comes to this new wave of cybercriminals who are not as skilled as you imagine; also, they can check the statistics of their campaigns and tweak them to achieve a higher infection rate;
• Offers flexible configuration options and add-on functions – combining malware and exploit kits can yield high returns on investment for attackers who know how to make the most of their purchase;

Here’s an example you may want to read about: at the beginning of this year, our team noticed a substantial increase in exploit kit activity for Neutrino, RIG, and Angler, which mutated and included new techniques to evade detection by traditional antivirus solutions.

Our team at Heimdal Security has observed a very recent change in the servers that are abused by the Neutrino exploit kit. Among other malware, Neutrino now spreads ransomware from the Kovter class and ransomware from the Cryptolocker2 family. This new campaign also comes with added surreptitious tricks: Google Blackhat SEO poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector.

Read more on this security alert: Exploit Kits Activity Spike Packs Improved Payloads, New Servers and a Predilection for Flash Player

• Has many built-in vulnerabilities – many of the tops exploit kits on the market include vulnerabilities (known or unknown, aka Zero Days) which buyers can readily use in their attacks; as you can see from the data below, the pool of options is quite generous for the most used apps in the world:

Source: Bromium Endpoint Exploitation Trends 2015

• Incorporates polymorphic droppers – some exploit kits include a Trojan dropper, a piece of code that injects malware into a PC; these droppers can be polymorphic, which mean they change daily to avoid being detected by antivirus and remain in the system as long as possible, to carry out the infection;
• Is as up to date as possible – exploit kit creators keep their “products” up to date by integrating new vulnerabilities as soon as they’re discovered; the more recent a software vulnerability is, the better it can be exploited to make the infection successful.

For the last two years, exploit kits have been known to include almost entirely new and up-to-date exploits.

Source: Bromium Endpoint Exploitation Trends 2015

How much does an exploit kit cost?

This is a key question whose answer we know you’re anxious to find out. According to a well-documented analysis by the Infosec Institute from mid-2015:

Exploit kits are still sold in their entirety (including source code), but they still have exorbitant prices ($20-30k). For this reason, users rent them for the limited periods ($500/month).

Source To get an idea of how much damage an exploit kit can do, let’s take a peek at these numbers provided by an in-depth analysis conducted by Talos. The numbers show how much money Angler can make its creators and their clients when driving ransomware infections. And recent data from Cisco goes to show that the profits are even bigger than what the usual user would imagine: Source: Cisco 2016 Annual Security Report And while exploit kits-as-service generate hefty profits for cyber attackers, it also creates enormous expenses for the business world and for regular Internet users.

How exploit kits spread

To help you understand how exploit kits act and spread, we put together The Ultimate Guide to Angler Exploit Kit for Non-Technical People, which is very much worth the read. But until you do, here are the main vectors through which exploit kits such as Angler, RIG, Nuclear, Neutrino, Sweet Orange or others spread:

• Malvertising – malicious advertising campaigns, carried out by infecting the servers which deliver the ads; millions of websites can then unknowingly serve these infected ads, targeting millions of visitors/potential victims;
• Spam campaigns – good ol’ spam campaigns haven’t gone out of fashion; in fact, they’re driving infection rates through the roof as we speak, by tricking naïve Internet users into clicking on links inside unsolicited email;
• Malicious iFrames – an iFrame (aka “inline frame”) is a way of loading a web page inside another, and cyber attackers can use this technique to load a malicious website, preloaded with exploit kits, on a seemingly safe website;
• Malicious code injection – websites can be compromised by infecting them with malicious code, which can drop exploit kits and malware onto the victim’s system only via a simple website visit.

For example, take the case of this campaign we reported on from last December:

Our team has recently monitored and analysed a new stack of drive-by campaigns which aim to spread the Angler exploit kit by injecting malicious code into compromised web pages. Because of the mechanisms involved and the attackers’ objectives, the campaign is prone to achieve large distribution and affect a big number of PCs and their users.

Read more on this security alert: Angler Exploit Kit Spreads CryptoWall 4.0 via New Drive-By Campaign And, mind you, these types of events as the ones described above are going on all the time. The infrastructure hosts these automated triggers and infection processes that are perpetuated by cyber criminals of all backgrounds and incomes.

Innovations in exploit kits in 2015

In 2015, exploit kits were all the rage, and cyber security companies monitored them closely. There were quite a few improvements that cyber criminals were probably very proud of. To name a few:

• Improved payload delivery – encrypted payloads and complex obfuscation (obscuring detection methods such as antivirus) techniques led to exploit kits being heavily used to keep the infections below the radar (and it worked in most cases);
• Enhanced data harvesting methods – some exploit kits were even able to collect all the usable usernames and passwords from the system they infected, so they can be sent to the attacker’s server and used later on to compromise additional digital assets;
• “Fileless” infections – this may not be an entirely new feature, but it was certainly used heavily in malware campaigns; the exploit kit drops a payload (the bit of code that executes malware) into the memory, so no files are actually downloaded onto the system, making it impossible for traditional antivirus to spot the infection (because antivirus scans for infected files).

These three features, coupled with polymorphism and the fast integration of new vulnerabilities make exploit kits something to worry about. The types of apps that cyber criminals target in their attacks (which include EKs, of course) have stayed the same throughout the recent years:

• The top browsers: Microsoft Internet Explorer, Mozilla Firefox, Google Chrome
• Browser plug-ins: Adobe Flash, Microsoft Silverlight, Oracle Java RE
• Office productivity software: Microsoft Office, Adobe Reader and more.

Recommended readings: Why are Java’s Vulnerabilities One of the Biggest Security Holes on Your Computer? Adobe Flash vulnerabilities – a never-ending string of security risks

Protect your PC against exploit kits

So, after all this, you must be wondering: What can I do to keep exploit kits from raiding my system and infecting it? It’s so easy you probably had no idea it could be so important. Here’s the number one advice: Keep your software updated at all times. If everyone installed all the updates, we’d all enjoy a much safer web. Updates don’t only bring in new features, but they also include much-needed security patches which makes your PC safer against cyber attacks. And that includes operating system updates, of course. And if you truly hate update prompts (and, honestly, who doesn’t?), then just install Thor FREE to handle your updates for you. Automatically, silently, without ever having to worry about another update again. What to do about the vulnerabilities that even software makers don’t know about (Zero Days)? For that, you’ll need a reliable antivirus product and another solution that can catch infections that antivirus can’t. Yes, even though antivirus can’t catch exploit kits (the most advanced, at least), you still need it. Don’t ditch it just yet. More protection layers mean there are less chances that a malware infection targeting your system can be successful.

Conclusion

While tech terms can make you shy away from concepts like exploit kits-as-a-service, don’t. There’s always a way to explain things in a way that they can benefit your knowledge. I hope this article did just that. If you should have any questions, I’d love to answer them, so please leave them in the comments below.