Security Experts:

Connect with us

Hi, what are you looking for?



Exploit Kit Infrastructure Activity Jumps 75 Percent: Report

Most Popular Exploit Kits

Cybercriminals ramped up the creation of Domain Name System (DNS) infrastructure for exploit kits by 75 percent year-on-year during the third quarter of 2015, a recent report from Infoblox Inc. reveals.

Most Popular Exploit Kits

Cybercriminals ramped up the creation of Domain Name System (DNS) infrastructure for exploit kits by 75 percent year-on-year during the third quarter of 2015, a recent report from Infoblox Inc. reveals.

According to the company’s Infoblox DNS Threat Index, powered by IID, Angler is the largest threat among exploit kits. However, the report also shows that exploit kit activity was driven by incidents of the Angler, Magnitude, Neutrino, and Nuclear crimeware families, and that a significant contributor to the command-and-control (C&C) category was domain generation algorithm (DGA) based malware Matsnu.

Infoblox notes that the increase in exploit kits is alarming because the category represents the automation of cybercrime and because attackers can use them to target individuals, businesses, schools, and government agencies. Exploit kits are created by a small number of cybercriminals, but they can be rented to low-skilled threat actors with little technical knowledge.

The Angler, Magnitude, Neutrino, and Nuclear exploit kits accounted for 96 percent of the category’s activity in the third quarter of the year. Angler took the first position with 30 percent of total activity, followed closely by Magnitude with 29 percent, while Neutrino and Nuclear took the third and fourth positions, with 21 percent and 16 percent of exploit kit activity, respectively.

Exploit kit attacks are usually conducted via spam emails and compromised websites, but can also be embedded in online ads (malvertising), and deliver a malicious payload when the user clicks on emails or ads. By taking advantage of vulnerabilities in other applications, exploit kits can plant ransomware, capture login credentials, or sensitive data.

Hackers frequently update exploit kits to take advantage of the latest zero-day vulnerabilities in popular software such as Adobe Flash Player. In Q3, exposed visitors to malicious advertisements that hackers managed to inject in the website to redirect users to a landing page for the Neutrino and Angler exploit kits.

Recent variants of Magnitude were used to target vulnerabilities in Adobe’s Flash Player and to deliver Cryptowall 3.0 ransomware, while Neutrino targets vulnerabilities in older versions of Java to download ransomware. The Nuclear exploit kits targets flaws in Adobe Flash, Adobe PDF, and Microsoft Internet Explorer, is usually used in high-volume compromises, and receives constant updates and improvements.

The report (PDF) also reveals that Matsnu malware, (also known as Androm), has become a significant contributor to the C&C malware category. The malware acts as a backdoor and can also download and install additional malicious software, while using DGA to communicate with C&C servers. With DGA, dynamically generated domains that are used as C&C domains for short periods of time allow bad actors to avoid being blocked.

Phishing is the main driver for malicious activities, despite the fact that it has been around for a long time, mainly because the technique works, the report reads. Courtesy of a rapidly created DNS infrastructure (representing a planting phase), cybercriminals build a base to launch attacks, steal data, and generally cause harm to their victims (during a so-called harvesting phase).

“Cybercriminals don’t stand still, and exploit kits are constantly evolving to take advantage of newly discovered vulnerabilities and to avoid traditional security systems. Organizations need to protect themselves by plugging into reliable sources of threat intelligence, then use that intelligence to disrupt malware communications through protocols such as DNS,” said Rod Rasmussen, chief technology officer at IID, said.

In September, Kaspersky Lab revealed that the Angler exploit kit started leveraging the Diffie-Hellman cryptographic algorithm to make it more difficult to detect exploits and prevent analysis. In October, Cisco announced that it caused significant damage to the operations of a cybercriminal group that could have made millions of dollars using ransomware distributed with the aid of the notorious Angler exploit kit.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.