Looking back at the past year, there is no doubt that the malware-as-a-service industry, which sells and trades malware samples, attack tools, and a variety of services, is thriving. It means that cyber criminals with low technical skills can easily purchase attack tools from more advanced hackers, vastly increasing the number of potential attackers, attacks, and victims.
Cerber, a ransomware-as-a-service operation, was one of the most dominant and profitable ransomware variants of 2016. Last December, a new DDoS (Distributed Denial of Service) collaborative effort dubbed Sledgehammer made headlines due to its unique operation mode. Participants were asked to attack targeted political websites and in return earn points toward rewards such as ‘Click-Fraud’ bots and DDoS tools.
In our 2016 H2 Global Threat Intelligence Trends report, we predicted that new and unique collaboration frameworks will continue to emerge in 2017.
This report reviews one of the oldest, yet most effective, services offered for sale on the Darknet by skilled threat actors – drive-by attacks as-a-service, referred to as Exploit Kits.
An Exploit Kit is a toolkit used to automate the exploitation of vulnerabilities in a system. A skilled threat actor (or “owner”) establishes and maintains an attack infrastructure. All a would-be attacker (“user”) needs to do is to rent it through underground forums. Not only do the users receive access to an infrastructure which is constantly adapted to today’s security measures, but they also get a comprehensive management panel which lets them track the number of infections per campaign, as well as upload new payloads and establish new campaigns.
In the past few years, Exploit Kits have been one the most common methods for infecting victims with malware. During 2016, a major change was observed in the Exploit Kit landscape, as many of the big players ceased operation.
For example, the Nuclear Exploit Kit shut down its entire infrastructure and dropped out of action at the end of April 2016, apparently as a response to the release of the Check Point report which detailed its capabilities, exploits, and involvement in current active campaigns. The disappearance of Nuclear and other high volume Exploit Kits such as Angler, enabled smaller players such as the Beps Exploit Kit, referred to by researchers as Sundown, to gain prominence in this highly profitable industry.
The Beps management panel is hosted on the publicly accessible domain beps.io. Each user is given credentials and a unique URL to access a personal management panel.
Figure 1: Beps (Sundown) Exploit Kit Login Page
After login, this is the main view:
Figure 2: Beps Exploit Kit user panel main view
The main page displays a unified view of the user’s attack activities:
- Overall attack attempts.
- Number of victims that made it past the compromised websites and were served with exploits.
- Number of current active campaigns and the successful infection rate.
A broader view of the country and browser distribution, based on the number of attack attempts, is also presented in the main page:
Figure 3: Beps Exploit Kit user panel Country and Browser statistics, main view
The Files page enables the user to upload new payloads to the panel, and scan them to see if a file is currently detected by a security product.
Figure 4: Beps Exploit Kit user panel files (payloads) management page
After the payload is uploaded to the panel, it can now be attached to a campaign (also referred to as thread or flow) in the Threads page:
Figure 5: Beps Exploit Kit user panel threads (campaigns) management page
Interestingly, most of the payloads are malware as-a-service, completing the picture of a non-techy attacker renting both the attack vector and the malware on the underground marketplace.
Sundown is currently used to distribute several malware families, among which are:
- Cerber Ransomware – First introduced to the public in February 2016, Cerber is a high-volume ransomware that is operated in a highly successful malware-as-a-service business model. At the time of Check Point’s research of the ransomware, over 160 active campaigns ran by ransomware users were observed. The malware is spread mainly by spam campaigns and malvertising campaigns which leverage exploit kits.
- Andromeda Botnet – Andromeda is a modular botnet used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
- Beta Bot – Beta Bot is a botnet used mainly to steal login credentials and financial data, while disabling its victims’ antivirus and malware scan software and preventing access to security websites. The malware is offered for sale on underground forums. Its features include various Denial-of-Service (DDoS) attack methods, remote connection abilities and information theft.
Based on out data, Sundown Exploit Kit has an overall infection rate of 4.56% – less than half of the infection rate of for the Nuclear Exploit Kit, which at the time of our research was 9.95%. In accordance with the vulnerabilities exploited by this kit, 99% of the victims are Internet Explorer users, especially versions 8.0, 10.0 and 11.0. On the contrary, Chrome Browser users did not get infected at all.
Attacked Users’ Browsers:
Figure 6: Attacked Users’ Browsers
Successfully Infected Users’ Browsers:
Figure 7: Successfully Infected Users’ Browsers
Sundown has been used against targets in 130 countries/colonies (based on country-code).
Looking at the list, we can see that the top countries targeted by the Exploit kit users are the United States, Japan, Germany and Russia. However, these are not the most infected countries. Below we can see a graph presenting the top attacked countries and successful infections rate per country:
Figure 8: Top Attacked Countries and Successful Infection Rate
And here is a graph presenting the top infected countries:
Figure 9: Top Infected Countries
Looking at the country list, it is clear that for the examined period, as far as Sundown-based campaigns go, Europe is definitely in the center of attention.
The malware-as-a-service industry, which was one of the most significant trends in 2016, revolutionized the global cyber landscape. Previously, generating profit from attack operations was the business of professional threat actors alone, and required high technological skills. The malware-as-a-service industry turned the situation upside-down – today, an unskilled actor with no relevant technical background who wishes to make some easy profit can purchase a variety of tools and services which provide end-to-end execution and management of attack campaigns worldwide.
From spear-phishing page generation to undetected ransomware to up-to-date attack infrastructure, any part of the infection chain can now be rented in an underground forum. If that’s not enough, reviews for the tools and services can be easily found as well.
So, do you want to be a hacker? It’s a lot easier than it used to be!