An exploit kit is a malicious toolkit whose purpose is to identify vulnerabilities in client machines. These vulnerabilities are then exploited in order to upload and execute malicious code on the client. Exploit kits also provide a user interface for an attacker to gain information on success rates and other statistics, as well control the client’s settings. According to Check Point’s analysis and reports, there was a notable spike in exploit kit usage as of January 14th 2016.

 

Description

Exploit kits are a type of malicious toolkit used to exploit security holes in software applications and spread malware. These kits come with pre-written exploit code and target users whose computers are running insecure or outdated software applications. This is a typical sequence of events:

  1. A certain web server was hacked by cybercriminals.
  2. A user visits a compromised website whose web server was hacked or where malicious ads are displayed.
  3. The compromised web server performs a redirection to an exploit kit URL.
  4. The victim visits an exploit kit page.
  5. The exploit kit gathers information on the victim and determines which exploit to deliver.
  6. The exploit is delivered.
  7. If the exploit succeeds, a malicious payload is downloaded to the victim’s computer and executed. This is known as a drive-by download as it happens without the victim’s knowledge or consent. An example of a ransomware payload was recently published by Check Point’s intelligence analyst in this blog post.

Exploit kits try to exploit zero-day vulnerabilities while Check Point IPS protections are blocking these attacks as published in this blog post. Angler is the most popular exploit kit nowadays, deployed in 30% of all compromised websites. Angler is also the most technically advanced: it provides support for a more diverse infection spectrum and employs various techniques to evade antivirus protections.

Check Point IPS Protections

References

Appendix A – Exploit Kits Covered by Check Point IPS

  • Check Point IPS protections cover the following exploit kits:
    Angler
    Archie
    Astrum
    Beta (Sundown)
    BlackHole
    Fiesta
    g01pack
    Gondad
    HanJuan
    Hunter
    Infinity
    LightsOut/Hello
    Magnitude
    Neutrino
    Nuclear
    NullHole
    RIG
    Spartan
    Sweet Orange

You may also like