An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.
Some of the first exploit kits were WebAttacker and MPack, both created in 2006. They were sold on black markets, enabling attackers to use exploits without advanced knowledge of computer security.
The Blackhole exploit kit was released in 2010, and could either be purchased outright, or rented for a fee. Malwarebytes stated that Blackhole was the primary method of delivering malware in 2012 and much of 2013. After the arrest of the authors in late 2013, use of the kit sharply declined.
Neutrino was first detected in 2012, and was used in a number of ransomware campaigns. It exploited vulnerabilities in Adobe Reader, the Java Runtime Environment, and Adobe Flash. Following a joint-operation between Cisco Talos and GoDaddy to disrupt a Neutrino malvertising campaign, the authors stopped selling the kit, deciding to only provide support and updates to previous clients. Despite this, development of the kit continued, and new exploits were added. As of April 2017, Neutrino activity ceased. On June 15, 2017, F-Secure tweeted "R.I.P. Neutrino exploit kit. We'll miss you (not)." with a graph showing the complete decline of Neutrino detections.
From 2017 onwards, the usage of exploit kits has dwindled. There are a number of factors which may have caused this, including arrests of cybercriminals, improvements in security making exploitation harder, and cybercriminals turning to other method of malware delivery, such as Microsoft Office macros and social engineering.
The general process of exploitation by an exploit kit is as follows:
- The victim navigates to a website infected by an exploit kit. Links to infected pages can be spread via spam, malvertising, or by compromising legitimate sites.
- The victim is redirected to the landing page of the exploit kit.
- The exploit kit determines which vulnerabilities are present, and which exploit to deploy against the target.
- The exploit is deployed. If successful, a payload of the attacker's choosing (i.e. malware) can then be deployed on the target.
Exploit kits employ a variety of evasion techniques to avoid detection. Some of these techniques include obfuscating the code, and using fingerprinting to ensure malicious content is only delivered to likely targets.
- Cannell, Joshua (11 February 2013). "Tools of the Trade: Exploit Kits". Malwarebytes Labs. Retrieved 8 April 2022.
- Chen, Joseph; Li, Brooks. "Evolution of Exploit Kits" (PDF). Trend Micro. Retrieved 8 April 2022.
- "Markets for Cybercrime Tools and Stolen Data" (PDF). RAND Corporation. 2014.
- "Blackhole malware exploit kit suspect arrested". BBC News. 9 October 2013. Retrieved 8 April 2022.
- Kujawa, Adam (4 December 2013). "Malwarebytes 2013 Threat Report". Malwarebytes Labs. Retrieved 8 April 2022.
- Zorabedian, John (9 October 2013). "Is the Blackhole exploit kit finished?". Sophos News. Retrieved 3 April 2022.
- Fisher, Dennis. "Blackhole and Cool Exploit Kits Nearly Extinct". threatpost.com. Retrieved 3 April 2022.
- "Neutrino Exploit kit: A walk-through into the exploit kit's campaigns distributing various ransomware". Cyware Labs. Retrieved 8 April 2022.
- "Neutrino". Malwarebytes Labs. Retrieved 8 April 2022.
- "Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down". threatpost.com. Retrieved 8 April 2022.
- "Former Major Player Neutrino Exploit Kit Has Gone Dark". Bleeping Computer. Retrieved 8 April 2022.
- Schwartz, Mathew (15 June 2017). "Neutrino Exploit Kit: No Signs of Life". www.bankinfosecurity.com. Retrieved 8 April 2022.
- F-Secure [@FSLabs] (15 June 2017). "R.I.P. Neutrino exploit kit. We'll miss you (not)" (Tweet) – via Twitter.
- "Where Have All The Exploit Kits Gone?". threatpost.com. Retrieved 8 April 2022.
- "exploit kit - Definition". Trend Micro. Retrieved 8 April 2022.
- "Exploit Kits Improve Evasion Techniques". McAfee Blog. 12 November 2014. Retrieved 8 April 2022.
- "Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised". Unit42. 11 January 2016. Retrieved 8 April 2022.