What Is It?
Though declining significantly in prevalence in recent years, exploit kits were previously one of the most popular and successful attack vectors. The use of exploit kits grew with the rise of malware-as-a-service (MaaS), where potential attackers could purchase complete solutions, comprising of the malware itself and all the required infrastructure to infect victims and track those infections.
Exploit kits were also essentially the first fileless attacks. The basic attack chain has remained unchanged, a user visits a legitimate website which has been compromised by the attacker injecting a malicious iframe into the webpage’s HTML source. The link in the iframe invokes the exploit kit, which depending on the operating system and browser, will attempt to exploit vulnerabilities in installed software. If the exploit is successful, the user’s system is infected with malware. Over time various applications have been targeted by exploit kits, including browsers themselves, Java and Microsoft Silverlight. However, by far the most popular target has been Adobe Flash Player, at times it’s been estimated over 80% of exploit kit exploits target Flash and its numerous vulnerabilities.
Since its initial release in April 2014, the RIG exploit kit has been arguably the most successful exploit kit. With that success, it has been a well-used common attack vector during the rise of ransomware. Despite a reduction in exploit activity in the past two years, a recent report from researchers at FireEye is a reminder it would be premature to discount exploit kits as a threat.
In their research, they describe the RIG exploit kit using the tried and true attack chain, exploiting a Flash vulnerability with a malicious Flash file, which results in infection by a variant of Grobios malware, a backdoor trojan. Prior to connecting to its command and control (C2) site, the Grobios malware utilizes several well known techniques to ensure it is not running in a VM and various malware analysis tools are not present. The malware is also designed to hamper static analysis of its code.
How Does It Propagate?
The RIG exploit kit is the propagation vector for the Grobios trojan in this case.
When/How Did BluVector Detect It?
BluVector’s patented Machine Learning Engine (MLE) detected both the malicious Flash file and the Grobios trojan used in this attack. Regression testing has shown the Flash file would have been detected 41 months prior to its release and samples of the Grobios trojan an average of 50 months prior.