A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.
Dubbed Capesand, the toolkit was discovered in October 2019, when a malvertising campaign employing the RIG EK to drop DarkRAT and njRAT switched to using it for delivery instead.
The new threat attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE), but also targets a 2015 vulnerability in the browser.
Capesand’s authors, the security researchers say, appear to be reusing source code from a publicly shared exploit kit code. In fact, almost all of the toolkit’s functions — this includes exploits, obfuscation, and packing techniques — reuse open-source code.
The malicious advertisements were delivered from the ad network straight to the victim’s browser, posing as a blog discussing blockchain. The page had been copied using the HTTrack website copying tool and contains a hidden iframe to load the exploit kit.
Analysis of the Capesand panel has revealed that it allows threat actors to check the status of exploit kit usage and download frontend source code to deploy on their servers. Code similarities suggest the new threat is derived from the old Demon Hunter EK.
The exploits are not included in the frontend EK source code package. Instead, each time Capesand wants to deliver an exploit, it sends a request to a server API to receive it.
The API request includes the requested exploit name, exploit URL, and the victim’s IP address, browser user-agent, and HTTP referrer. The information is AES encrypted with a pre-generated API key inside a configuration file.
The server verifies if a valid API key was used for encryption, collects victim information, and also retrieves data on the usage of the exploit kit.
The security researchers also discovered a version of Capesand that uses an exploit for the IE vulnerability tracked as CVE-2015-2419, and identified on the developers’ server exploits for CVE-2018-4878 and CVE-2018-15982 (Adobe Flash) and an exploit for CVE-2018-8174 (IE), but not the exploit for CVE-2019-0752, which is indicated in the source code.
“This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use,” Trend Micro notes.
The EK’s developers, the security researchers point out, ensured that the deployed samples had very low detection rates. The code also checks for antimalware products installed on the victim systems.
The miscreants also focus on distributing malicious landing pages via mirrored versions of legitimate websites and use domain names similar to the originals to further avoid raising suspicion.
“In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,” Trend Micro concludes.
Related: New ‘Lord’ Exploit Kit Emerges