Connect with us

Hi, what are you looking for?



Actively Developed Capesand Exploit Kit Emerges in Attacks

A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.

A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.

Dubbed Capesand, the toolkit was discovered in October 2019, when a malvertising campaign employing the RIG EK to drop DarkRAT and njRAT switched to using it for delivery instead.

The new threat attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE), but also targets a 2015 vulnerability in the browser.

Capesand’s authors, the security researchers say, appear to be reusing source code from a publicly shared exploit kit code. In fact, almost all of the toolkit’s functions — this includes exploits, obfuscation, and packing techniques — reuse open-source code.

The malicious advertisements were delivered from the ad network straight to the victim’s browser, posing as a blog discussing blockchain. The page had been copied using the HTTrack website copying tool and contains a hidden iframe to load the exploit kit.

Analysis of the Capesand panel has revealed that it allows threat actors to check the status of exploit kit usage and download frontend source code to deploy on their servers. Code similarities suggest the new threat is derived from the old Demon Hunter EK.

Some of the targeted vulnerabilities include CVE-2018-4878 (Adobe Flash), along with CVE-2018-8174 and CVE-2019-0752 (Internet Explorer).

Advertisement. Scroll to continue reading.

The exploits are not included in the frontend EK source code package. Instead, each time Capesand wants to deliver an exploit, it sends a request to a server API to receive it.

The API request includes the requested exploit name, exploit URL, and the victim’s IP address, browser user-agent, and HTTP referrer. The information is AES encrypted with a pre-generated API key inside a configuration file.

The server verifies if a valid API key was used for encryption, collects victim information, and also retrieves data on the usage of the exploit kit.

The security researchers also discovered a version of Capesand that uses an exploit for the IE vulnerability tracked as CVE-2015-2419, and identified on the developers’ server exploits for CVE-2018-4878 and CVE-2018-15982 (Adobe Flash) and an exploit for CVE-2018-8174 (IE), but not the exploit for CVE-2019-0752, which is indicated in the source code.

“This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use,” Trend Micro notes.

The EK’s developers, the security researchers point out, ensured that the deployed samples had very low detection rates. The code also checks for antimalware products installed on the victim systems.

The miscreants also focus on distributing malicious landing pages via mirrored versions of legitimate websites and use domain names similar to the originals to further avoid raising suspicion.

“In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,” Trend Micro concludes.

Related: New ‘Lord’ Exploit Kit Emerges

Related: Exploit for Recent Flash Zero-Day Added to Fallout Exploit Kit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.