Exploit Kits Adopt Fileless Attacks

Delaware, USA – November 26, 2019 – At least a third of active Exploit Kits have started using fileless attacks to spread malware. Malwarebytes monitors the EK landscape and their recent report sheds fresh light on changes in techniques used. Even though experts have long been predicting a decline in Exploit Kits, they are not going to retire and continue to infect users with banking trojans, cryptocurrency miners, and ransomware. This fall, both the “greybeards” (RIG EK) and their younger colleagues (Spelevo EK, Fallout EK, Underminer EK) were active. While the more famous Exploit Kits continue to use proven tactics, some EKs have already abandoned dropping malware on vulnerable systems. Instead, Purple Fox EK, Underminer EK, and Magnitude EK adopted fileless attacks to load malicious code into system memory evading some security products and increasing infection rates. Magnitude EK spreads Magniber ransomware, Underminer spreads Hidden Bee (cryptocurrency miner), and Purple Fox EK infects its victims with Kpot trojan.

Another change concerns exploits used. Usually, Exploit kits infect users through the exploitation of old vulnerabilities in Internet Explorer and Flash player, but now EKs deny exploits for Flash player, sometimes even in favor of even more ancient exploits for IE. Researchers believe that this is because fewer and fewer users use the Flash player, and Adobe will soon cease its support at all. On the other hand, Internet Explorer users are mainly employees of companies to whom corporate policies prohibit the installation of third-party browsers, and the main efforts of Exploit Kits operators are directed at them. To closely monitor Microsoft Windows and Active Directory security events, organizations can use free SIEM content available on Threat Detection Marketplace: https://my.socprime.com/en/integrations/windows-security-monitor