After several months in decline, Exploit kit infections show sharp uplift and deliver a variety of threats, says Check Point
Check Point has revealed a massive uplift in Exploit Kit usage by cybercriminals worldwide, with the Rig Exploit Kit reaching second place in the company’s March Global Threat Impact Index.
Exploit Kits, which are designed to discover and exploit vulnerabilities on machines in order to download and execute further malicious code, have been in decline since a high point in May 2016, following the demise of the leading Angler and Nuclear variants. However, March saw the Rig EK surge up the rankings, being the second most-used malware worldwide throughout the period. The Terror Exploit Kit also increased dramatically in usage in March, and was just one place from making it into the monthly top ten list.
Rig delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript, which then checks for vulnerable plug-ins and delivers the exploit. Terror was first detected at the start of December 2016, and contained eight different operational exploits. Both Rig and Terror have been witnessed delivering a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners.
Continuing the trend seen in February, the top three malware families reveal a wide range of attack vectors and targets, which impact all stages of the infection chain. Ransomware proved one of the most profitable tools at cybercriminals’ disposal throughout 2016, and with popular Exploit Kits now being used to deliver it, the threat shows no sign of dying down.
The most common malware in March were HackerDefender and Rig EK in first and second place, each impacting 5% of organizations worldwide, followed by Conficker and Cryptowall, each impacting 4% of organizations worldwide.
March 2017’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
- ↑HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
- ↑ Rig EK– Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
- ↑ Conficker– Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
In mobile malware, the top two families remained the same as in February, while Ztorg climbed back into the top three.
Top 3 ‘Most Wanted’ mobile malware:
1. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
3. Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.
Nathan Shuchami, VP of Emerging Products at Check Point commented: “The dramatic resurgence of Exploit Kits in March illustrates that older threats don’t disappear forever – they simply go dormant and can be quickly redeployed. It is always easier for malicious hackers to revisit and amend existing malware families and threat types rather than develop brand new ones, and Exploit Kits are a particularly flexible and adaptable threat type. To deal with the threat from Rig, Terror and other Exploit Kits, organizations need to deploy advanced security systems across the entire network, such as Check Point’s SandBlast Zero-Day Protection and Mobile Threat Prevention.”
The ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.
[su_box title=”About Check Point” style=”noise” box_color=”#336588″][short_info id=’74105′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.