The number of exploit kits available has experienced exponential growth in the last few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased – including Neutrino, Magnitude, Nuclear, Rig and Angler. Below, Jaime Blasco, Director of AlienVault Labs, discusses Archie, an Exploit Kit that was first discovered by William Metcalf at EmergingThreats.
It also uses the following trick to check whether or not the system is running a 64-bit version of Internet Explorer.
Depending on the Silverlight, Internet Explorer and Flash versions, it will try to load a different exploit module.
Archie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them.
The shellcode downloads a DLL from the webserver, writes it in \Users\[Current_user]\Temp\e.dll and then loads it.
The IP address where the Archie Exploit Kit is hosted, and the piece of malware delivered, is also being used for click fraud operations. It is related to this research published by Kimberly on the click fraud bot.
The full blog post can be viewed here: http://www.alienvault.com/open-threat-exchange/blog/archie-just-another-exploit-kit/
By Jaime Blasco, Director, AlienVault Labs
About AlienVault Labs
AlienVault Labs conducts security research on global threats and vulnerabilities. The team of security experts, led by renowned Labs director, Jaime Blasco, constantly monitors, analyzes, reverse engineers, and reports on sophisticated zero-day threats including malware, botnets, phishing campaigns and more.
Using an ever-expanding array of manual and automated techniques, AlienVault Labs researchers ensure that AlienVault’s Unified Security Management™ platform is always up-to-date with the latest threat intelligence. In addition, the Labs also runs AlienVault’s Open Threat Exchange™ (OTX), an open information sharing and analysis network that provides real-time, actionable threat information submitted by over 8,000 contributors from over 140 countries.