Exploit Kits Migrating Into Fileless Malware Infecting Victims While Evading Security Tools
New research reveals that extremely stealthy exploit kits are increasingly becoming a threat, particularly in browser-based drive-by attacks. Anti-malware software company Malwarebytes has been gathering and indexing attacks and campaigns for the past years to get a glimpse of how the exploit kit landscape operates and how it could change in the future. Researchers at Malwarebytes claim that Exploit Kit (EK) operators are modifying their tactics, and instead of relying on planting malware on disk, three out of nine active EKs are reportedly utilizing file-less attacks.
For the uninitiated, Exploit Kits or EKs are cyber criminal-hosted applications based on the web. Usually, EK operators purchase web traffic from botnet operators or malvertising campaigns. Traffic from hacked websites or malicious ads is relayed to a ‘gate’ where EK operators choose users with specific browsers or Adobe Flash versions.
It then redirects these potential targets to a landing page and runs the exploit. Furthermore, attackers or EK operators use a Flash or browser vulnerability to plant and execute the malware on the computer of the user. This kind of attack heavily relies on loading the malicious code within the RAM without leaving any marks on the disk. While file-less malware has been around for over a decade, this is the first time that exploits kits are adopting the method.
Malwarebytes Analyst Jerome Segura says this is an exciting trend that raises infection rates since it can evade security tools and makes sample sharing more difficult. Among the exploit kits known to leverage on this technique includes Underminer, Magnitude, and Purple Fox. Compared to other broadly used exploit kits such as RIG, Fallout, and Spelevo, these are small-time exploits.
Considering that a third of the current top exploit kits are using file-less techniques clearly indicates the direction where the exploit kits market is heading in the coming months and years. Aside from this, Malwarebytes also discovered that there is a growing number of exploit kits currently abandoning Flash Player exploits. This could be due to the continuous drop in the market share of Adobe Flash in recent years.
Exploit kits have been reportedly dog-piling on bugs on Internet Explorer despite the plummeting share of the browser in the market. Most IE instances today, according to Malwarebytes, are using enterprise networks. By targeting IE users, EK operators are also efficiently targeting enterprise networks, which are the most sought-after targets in the malware segment.
© Copyright IBTimes 2024. All rights reserved.