Top Exploit Kit Activity Roundup – Winter 2018

Overview: This is the seventh in a series of blogs collecting the recent activity of the current top exploit kits. Exploit kits are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. Authors of exploit kits offer their services for sale, distributing malware for other malicious actors. Find our previous roundup here. RIG Exploit Kit RIG EK has maintained its position as the most active exploit kit, but overall volume of RIG traffic was down over the fall quarter. In November, RIG activity declined significantly, and this trend continues throughout December. RIG continues to install ransomware, banking trojans, and cryptocurrency mining software on vulnerable systems. Figure 1: RIG hits, September 2017 – December 2017 Figure 2: RIG Heat Map Though still consistently active, the volume of RIG activity dropped significantly in November 2017. Global distribution of RIG activity has also changed since our last roundup. For the last quarter, virtually all observed RIG traffic has been within the United States, Russia, and Japan. This was unexpected, as previous analyses had shown an appreciable amount of activity in Europe, the rest of the Americas, and Southeast Asia. Among the number of concurrent RIG campaigns this year, the...
Read more

Terror Exploit Kit via Malvertising campaign

Terror Exploit Kit (EK) is one of the newer EKs that came to the scene in early 2017 and was mentioned in our Winter 2017 quarterly EK roundup where it was mainly installing ccminer Bitcoin mining applications. Terror EK activity has been low throughout the year but we are starting to see an uptick in the activity delivered via malvertising campaigns in past two months. The graph below shows Terror EK activity for past two months. Figure 1: Terror EK activity between September 1 and October 23, 2017. The image below shows recent Terror EK cycles from this month. Figure 2: Terror Exploit Kit Cycles In this blog, we will look at the Terror EK flow and a few changes in the exploit kit that we observed in the recent campaign. Terror EK redirects are seen in the form of fake advertisement pop-ups; one such advertisement is shown below. Figure 3: Terror EK malvertisement website. The malvertising campaigns have themes like '20 minute fat loss', 'quit smoking' and 'science'. Few of the redirects were from Propeller Ads media network, through their onclkdsnet domain.     The initial JavaScript that gets served via a malicious advertisement page is obfuscated as seen below, Figure 4: Obfuscated JavaScript loaded by the malvertisement website. The deobfuscated version of this JavaScript is shown below. Figure 5:...
Read more

Labs report: summer ushers in unprecedented season of breaches

In this edition of the Malwarebytes Cybercrime Tactics and Techniques report, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. We also observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams. Categories: Malwarebytes news Tags: 3rd quarterandroid malwareastrumbreachcerbercybercrimecybercrime tactics and techniquesemotetEquifaxexploit kitfrancophonefruitflyglobeimposterLockymac malwaremalicious spammalspamMalwarebytesmalwarebytes labsnational health serviceNHSoceanlotusq3 2017reportRIGsmartscreensonictech support scamstrickbottrojan.clicker.hyjwhole foods (Read more...) The post Labs report: summer ushers in unprecedented season of breaches appeared first on Malwarebytes Labs.
Read more

Drive-by mining and ads: The Wild Wild West

Cryptomining in the browser is all the rage lately. But what are the impacts for users when it is being abused by dubious publishers? Categories: Social engineering Threat analysis Tags: adsbrowsercoinhivecryptominercryptominingcryptonightexploit kitJSmalvertisingmalware (Read more...) The post Drive-by mining and ads: The Wild Wild West appeared first on Malwarebytes Labs.
Read more

Top Exploit Kit Activity Roundup – Summer 2017

Overview: This is the third installment in a series of blogs highlighting the recent activity of the top exploit kits. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. EK authors offer their services for sale, distributing malware for other malicious actors. In this blog, we will be looking at the most active EKs, including RIG, Magnitude, Terror, and the newest arrival - Disdain. You can read our roundup from spring 2017 here. RIG Exploit Kit RIG remains the most consistently active exploit kit, distributed over several simultaneous campaigns to install ransomware, banking Trojans, and cryptocurrency mining software on vulnerable systems. In the latter part of spring, we saw a small decline in RIG activity; however, since then, we observed generally steady RIG traffic, with the exception of small spikes in June and August. Figure 1: RIG hits, June 2017 – August 2017 Figure 2: RIG heat map, June 2017 – August 2017 The distribution of RIG hosts remains somewhat similar to previous reports, although the activity we observed in Southeast Asia and South America earlier this year was absent this quarter. In addition, the last three months show an increase in the RIG...
Read more

A week in security (August 28 – September 3)

Last week, we looked at what actions Kronos can perform in the final installment of a 2-part post. We also dived into Locky, again, a ransomware that just made a comeback, and found that its latest variant (as of this writing) has anti-sandboxing capabilities. This means that once Locky has determined that it’s residing in... Categories: Security world Week in security Tags: 419 scamexploit kitinsider threatskronosLockymalvertisingPrincessLockerransomwarerecapRIGsecurityweekly blog roundup (Read more...) The post A week in security (August 28 – September 3) appeared first on Malwarebytes Labs.
Read more

Cerber ransomware delivered in format of a different order of Magnitude

We review a trick that the Magnitude exploit kit uses to bypass security scanners. Categories: Exploits Threat analysis Tags: binary paddingcerberexploit kitgateMagnigatemagnitude EKransomwareXML (Read more...) The post Cerber ransomware delivered in format of a different order of Magnitude appeared first on Malwarebytes Labs.
Read more