Angler and Nuclear, two of the exploit kits (EKs) that dominated the landscape for years, are gone, with Neutrino and RIG being the leading crimekits now, but still far from reaching the EK traffic registered just a couple months ago.
As malware authors are turning to Neutrino and RIG for distribution purposes, as well as to other smaller EKs, security researchers are looking into how the threat landscape is evolving, and they are signaling a massive change. The exploit kit traffic is only a small percentage of what it used to be: it dropped 96% since early April.
The summer of 2016 starts with a major shift on the malware landscape, fueled by the apparent demise of some of the biggest names out there: the Angler and Nuclear exploit kits, along with the Necurs botnet, which brought down Dridex and Locky. The malware industry clearly took a hit when all these big names disappeared, but we shouldn’t open the champagne just yet, since others have already taken over their malicious activities.
The first to disappear from the threat landscape was Nuclear, which was last seen at the end of April, and which was largely replaced by Angler. Around since 2009, Nuclear is the oldest EK out there, and it’s still uncertain whether its disappearance is permanent or not. Its operators might have taken a long vacation and could return soon.
In April, Check Point researchers published a detailed analysis of the Nuclear infrastructure (PDF), and followed it with a second report about a month ago, when they revealed that the group behind the EK is making roughly $100,000 per month. They also discovered that the EK, which was being actively updated in mid-April, was operated by a group of developers led by an individual in Krasnodar, Russia.
Contacted by SecurityWeek, French security researcher Kafeine, who works with Proofpoint and maintains the Malware don’t need Coffee blog, says that Check Point’s report might have scared the Nuclear operators, but not permanently. In fact, he pointed to a forum post in which an admin reveals that Nuclear has retired and that an official announcement will be made should the EK return.
Symantec notes that Nuclear’s activity ceased in first week of May, but doesn’t offer an official explanation for it. Brad Duncan, a Palo Alto Networks security researcher and handler at the SANS Institute’s Internet Storm Center, responded to a SecurityWeek inquiry to say that mid-April 2016 was the last time he saw a Nuclear campaign, and that the campaign actually switched to Angler EK at that time.
What’s interesting to note, however, is that a graph published by Proofpoint late last week suggests that Nuclear was still active during the second half of May.
After Nuclear, the Necurs botnet suffered an outage at the end of May, which resulted in Dridex and Locky infections coming to an essential stop on June 1. Although their infection campaigns amounted to hundreds of millions of spam messages, the two pieces of malware were so tightly related to Necurs that they went down along with it, albeit they attempted slow recovery several days later.
The largest hit that the malware industry took this year, however, was the death of Angler, which was the most used exploit kit out there, accounting for around two thirds of all EK traffic in the first three months of the year. Angler’s death, however, might have an explanation: it appears related to the recent 50 arrests in Russia that were associated with users of the Lurk malware.
A general consensus among security researchers is that Angler, which was abusing recent Flash zero-days and was capable of evading Microsoft’s EMET, is dead, given that it has completely vanished from all infection chains on June 7. Starting with that date, the payloads usually dropped by Angler started being delivered by Neutrino, including the CryptXXX ransomware, which was seen being dropped by Angler since its initial appearance on the threat landscape.
Neutrino and RIG take over the EK landscape
According to Proofpoint researchers, the switch from Angler to Neutrino wasn’t an overnight one, but Angler’s activity has been steadily dropping since early April, until it came to a full stop in the beginning of June. They also explain most of the Angler customers have migrated to Neutrino and RIG, but that Sundown is also showing small traffic.
The CryptXXX ransomware was distributed via Neutrino before Angler’s disappearance too, but most of the biggest infection path migrated to it in June, Kafeine told us. On the company’s blog, Proofpoint researchers also explain that CryptXXX’s shift from Angler to Neutrino was accompanied by a jump to the latter EK of threat actors who operate with traffic from high-profile malvertising chains or from compromised websites.
“By our estimates, Neutrino dropping CryptXXX account for as much as 75% of observed exploit kit traffic, and another 10% combined from Neutrino and Magnitude dropping Cerber ransomware. Most of the remaining 15% of EK traffic is RIG dropping a variety of payloads (banking Trojan
, info stealers, loaders) on lower-value malvertising traffic, with various smaller EKs such as Sundown, Kaixin, Hunter and others making up the last 1% of total observed EK traffic,” Proofpoint says.
However, compared to the beginning of April, the current EK traffic is insignificant, mainly because two major threat actors are seemingly suspending campaigns instead of migrating fully to Neutrino, Proofpoint says. They also note that the silence noticed after several months of very high-volume attacks and heavy traffic to Angler-compromised sites is striking and that the overall EK traffic is down 96% since two months ago.
Malwarebytes researchers too point out that Neutrino started filling in for Angler in high profile malvertising attacks last week, and that other active EKs include RIG, Magnitude, and Sundown/Xer. KaiXin and Hunter, along with a series of custom made EKs used in targeted attacks, account for a much lower distribution, Malwarebytes also says.
Kaspersky Lab also confirms that Angler and Nuclear, which are considered two “market makers,” are almost completely out of the game. “As a result, groups that were distributing their malware through those exploit kits switched to using Neutrino and RIG exploit kits. For example, the group behind the CryptXXX ransomware switched over to Neutrino (early they worked only with Angler),” Anton Ivanov, senior malware analyst, Kaspersky Lab, told SecurityWeek via email.
“Currently we are seeing a rapid increase in the usage of the Neutrino exploit kit,” Ivanov also said. The researchers explained to us that the Neutrino EK is currently used mainly for the distribution of the CryptXXX ransomware, while Magnitude is used to distribute the Cerber ransomware, and RIG is focused on spreading the Betabot Trojan.
What remains to be seen, however, is how well Neutrino, RIG and Magnitude will manage to fill in for Angler and Nuclear. Neutrino EK’s effectiveness compared to Angler’s is questionable, especially when noticing the large contraction in worldwide EK activity that Proofpoint warns about.
As Kafeine pointed out to us, it’s actually difficult to pinpoint exactly the recent switch in EK activity, but users shouldn’t feel safer than before. “Most of infection paths/vectors are still alive. Bad guys have switched weapons…but they are still firing,” Kafeine said. As long as there’s money to be made, cybercriminals are expected to either revive old projects or find new tools to conduct their nefarious operations.
Thus, it’s important that users make sure they keep their software up to date at all times, to stay protected from the drive-by download attacks that EKs usually employ. And, if Angler’s demise is connected to the Lurk arrests, it appears of vital importance that security researchers continue to closely monitor EK activity and to work with law enforcement agencies around the world to take down the cybercriminals behind these kits, thus making the Internet a bit safer for all.