Exploit kit activity has been decreasing for a couple of years now, a result of some consolidation in the market, as well as effective investigations and takedowns by law enforcement. But that doesn’t mean the attackers using them have given up. They’ve just shifted tactics, with many now focusing on using malvertising and social engineering techniques to target victims.

Attackers have favored exploit kits for many years, mainly because the kits offer the opportunity to compromise a broad range of victims with minimum effort. Exploit kits can be purchased for relatively low prices, and attackers can use them to deliver whatever payload they choose, including ransomware. But activity from these kits has fallen off recently, due to market forces and work by researchers and law enforcement. However, researchers have found that attackers are increasingly turning to the use of subtle social engineering tactics in order to target victims, rather than using the more traditional browser redirection technique.

Researchers at Symantec recently identified two different campaigns–pseudo-Darkleech and EItest–are relying on the combination of malvertising and social engineering now, when they formerly used browser redirections.

“In the first half of 2017, the actors behind the EITest campaign began employing social engineering to target mainly Google Chrome users. EITest makes a compromised web page unreadable and then presents the visitor with a pop-up dialogue requesting them to download a font file to be able to view the page, however the file is actually malware,” Siddhesh Chandrayan of Symantec said in an analysis of the campaigns.

“The interesting aspect of this story is, while the instances of these EITest social engineering attacks have been on the rise, the redirections to exploit kits have been steadily declining.”

The shift in tactics is an intriguing, especially considering the success that exploit kit operators have had with the combination of site compromises and browser redirections over the years. But it may only be a temporary change, Chandrayan said. And it doesn’t mean exploit kits themselves are going away anytime soon.

“Although redirection from campaigns such as pseudo-Darkleech and EITest have declined, exploit kits continued to stay afloat using another effective redirection method, malicious advertisements. Though the successful infection rate with exploit kits is low these days as attackers continue to move to email as an infection vector, even one successful infection with a threat such as WannaCry (Ransom.Wannacry) could wreak havoc due to the malware’s ability to spread rapidly. Exploit kits, for the time being at least, remain a force to be reckoned with in the security threat landscape,” Chandrayan said.

CC By-SA license image by Christiaan Colen.

Comments are closed.