{"id":16932,"date":"2019-11-19T11:10:05","date_gmt":"2019-11-19T19:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/19\/news-10669\/"},"modified":"2019-11-19T11:10:05","modified_gmt":"2019-11-19T19:10:05","slug":"news-10669","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/19\/news-10669\/","title":{"rendered":"Exploit kits: fall 2019 review"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 19 Nov 2019 18:08:20 +0000<\/strong><\/p>\n<p>Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, we&#8217;re seeing new exploit kits emerge.<\/p>\n<p>Based on our telemetry, these drive-bys are happening worldwide (with the exception of a few that are geo-targeted) and are fueled by malvertising most often found on adult websites.<\/p>\n<p>Even though the weaponized vulnerabilities remain fairly old, we&#8217;ve observed a growing number of exploit kits go for <a rel=\"noreferrer noopener\" aria-label=\"fileless attacks (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/03\/fileless-infections-an-overview\/\" target=\"_blank\">fileless attacks<\/a> instead of the more traditional method of dropping a payload on disk. This is an interesting trend that makes sample sharing more difficult and possibly increases infection rates by evading some security products.<\/p>\n<h3>Fall 2019 overview<\/h3>\n<ul>\n<li>Spelevo EK<\/li>\n<li>Fallout EK<\/li>\n<li>Magnitude EK<\/li>\n<li>RIG EK<\/li>\n<li>GrandSoft EK<\/li>\n<li>Underminer EK<\/li>\n<li>KaiXin EK<\/li>\n<li>Purplefox EK<\/li>\n<li>Capesand EK<\/li>\n<\/ul>\n<h3>Vulnerabilties<\/h3>\n<p>Internet Explorer\u2019s&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/05\/internet-explorer-zero-day-browser-attack\/\" target=\"_blank\">CVE-2018-8174<\/a>&nbsp;and Flash Player\u2019s&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/12\/new-flash-player-zero-day-used-russian-facility\/\" target=\"_blank\">CVE-2018-15982<\/a>&nbsp;are the most common vulnerabilities, while the older<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/\" target=\"_blank\">&nbsp;CVE-2018-4878<\/a> (Flash) is still used by some EKs. It&#8217;s worth noting we&#8217;re seeing some exploit kits no longer using Flash, while others are relying on much older vulnerabilities.<\/p>\n<h3>Spelevo EK<\/h3>\n<p>Spelevo EK is one of these newer exploit kits that we see on a regular basis via malvertising campaigns. There hasn&#8217;t been any major change since <a rel=\"noreferrer noopener\" aria-label=\"our last review (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/\" target=\"_blank\">our last review<\/a> and the threat actors still rely on the domain shadowing technique to generate new URLs. <\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_.png\" data-rel=\"lightbox-0\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41114\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/spelevoek_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_.png\" data-orig-size=\"690,328\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"spelevoEK_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_-300x143.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_-600x285.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_.png\" alt=\"\" class=\"wp-image-41114\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_.png 690w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_-300x143.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/spelevoEK_-600x285.png 600w\" sizes=\"(max-width: 690px) 100vw, 690px\" \/><\/a><\/figure>\n<p><strong>Payloads seen<\/strong>: PsiXBot, Gootkit, Maze<\/p>\n<h3>Fallout EK<\/h3>\n<p>Fallout EK stands apart from the rest with obfuscation techniques, as well various fingerprinting checks. It also implemented the Diffie-Hellman key exchange to prevent offline replays by security analysts.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK.png\" data-rel=\"lightbox-1\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41115\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/falloutek-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK.png\" data-orig-size=\"558,483\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"FalloutEK\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK-300x260.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK.png\" alt=\"\" class=\"wp-image-41115\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK.png 558w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/FalloutEK-300x260.png 300w\" sizes=\"(max-width: 558px) 100vw, 558px\" \/><\/a><\/figure>\n<p><strong>Payloads seen<\/strong>: Sodinokibi, AZORult, Kpot, Raccoon, Danabot<\/p>\n<h3>Magnitude EK<\/h3>\n<p>Magnitude EK hasn&#8217;t changed much in the past few months. The same Magnigate infrastructure is being used to redirect users to fake cryptocurrency domains. The payload remains Magniber ransomware delivered in fileless mode.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_.png\" data-rel=\"lightbox-2\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41118\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/magnitudeek_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_.png\" data-orig-size=\"623,368\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"MagnitudeEK_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_-300x177.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_-600x354.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_.png\" alt=\"\" class=\"wp-image-41118\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_.png 623w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_-300x177.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/MagnitudeEK_-600x354.png 600w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><\/a><\/figure>\n<p><strong>Payload seen<\/strong>: Magniber<\/p>\n<h3>RIG EK<\/h3>\n<p>Recently, RIG EK seems to have dropped its Flash Player exploit and instead relies solely on Internet Explorer. One active campaign is HookAds, which uses a fake gaming website to redirect to the exploit kit.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK.png\" data-rel=\"lightbox-3\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41116\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/rigek-4\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK.png\" data-orig-size=\"626,342\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"RIGEK\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK-300x164.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK-600x328.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK.png\" alt=\"\" class=\"wp-image-41116\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK.png 626w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK-300x164.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/RIGEK-600x328.png 600w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/><\/a><\/figure>\n<p><strong>Payloads seen<\/strong>: Smoke Loader, Sodinokibi, Paradise, Antefrigus<\/p>\n<h3>GrandSoft EK<\/h3>\n<p>GrandSoft EK is not as commonly observed this fall, and appears to have limited payload distribution. It is known to focus on the distribution of the Ramnit Trojan.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK.png\" data-rel=\"lightbox-4\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41119\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/grandsoftek-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK.png\" data-orig-size=\"609,309\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"GrandSoftEK\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK-300x152.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK-600x304.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK.png\" alt=\"\" class=\"wp-image-41119\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK.png 609w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK-300x152.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/GrandSoftEK-600x304.png 600w\" sizes=\"(max-width: 609px) 100vw, 609px\" \/><\/a><\/figure>\n<p><strong>Payload seen<\/strong>: Ramnit<\/p>\n<h3>Underminer EK<\/h3>\n<p>Underminer EK is one of the more interesting exploit kits on the market, due to its unusual way of delivering its <a rel=\"noreferrer noopener\" aria-label=\"Hidden Bee payload (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/07\/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit\/\" target=\"_blank\">Hidden Bee payload<\/a>. Not only is it fileless, but it is packed in a particular way that hints that the exploit kit and malware developer are one and the same.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK.png\" data-rel=\"lightbox-5\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41120\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/underminerek-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK.png\" data-orig-size=\"617,643\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"UnderminerEK\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK-288x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK-576x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK.png\" alt=\"\" class=\"wp-image-41120\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK.png 617w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK-288x300.png 288w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/UnderminerEK-576x600.png 576w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><\/a><\/figure>\n<p><strong>Payload seen<\/strong>: Hidden Bee<\/p>\n<h3>KaiXin EK<\/h3>\n<p>KaiXin EK is a more obscure exploit kit we seldom run into, perhaps because it seems to target the Asian market. However, it appears to still be around on the same infrastructure.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK.png\" data-rel=\"lightbox-6\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41121\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/kaixinek\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK.png\" data-orig-size=\"566,397\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"KaiXinEK\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK-300x210.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK.png\" alt=\"\" class=\"wp-image-41121\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK.png 566w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/KaiXinEK-300x210.png 300w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><\/a><\/figure>\n<p><strong>Payload seen<\/strong>: Dupzom<\/p>\n<h3>Purple Fox EK<\/h3>\n<p>Purple Fox was <a rel=\"noreferrer noopener\" aria-label=\"described (opens in a new tab)\" href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell\/\" target=\"_blank\">described<\/a> previously by TrendMicro and is an interesting drive-by framework that loads fileless malware. While it was once loaded via RIG EK, it is now seen on its own. For this reason, we believe it can be called an exploit kit as well.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_.png\" data-rel=\"lightbox-7\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41125\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/purplefoxek_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_.png\" data-orig-size=\"651,309\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"PurpleFoxEK_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_-300x142.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_-600x285.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_.png\" alt=\"\" class=\"wp-image-41125\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_.png 651w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_-300x142.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/PurpleFoxEK_-600x285.png 600w\" sizes=\"(max-width: 651px) 100vw, 651px\" \/><\/a><\/figure>\n<p><strong>Payload seen<\/strong>: Kpot<\/p>\n<h3>Capesand EK<\/h3>\n<p>Capesand EK is the latest exploit to have <a rel=\"noreferrer noopener\" aria-label=\"surfaced (opens in a new tab)\" href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse\/\" target=\"_blank\">surfaced<\/a> although it is based on code from an old EK called Demon Hunter. It was spotted on a particular malvertising campaign, perhaps suggesting the work of one malware author for his own distribution.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_.png\" data-rel=\"lightbox-8\" title=\"\"><img decoding=\"async\" data-attachment-id=\"41124\" data-permalink=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/attachment\/capesandek_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_.png\" data-orig-size=\"633,349\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"CapesandEK_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_-300x165.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_-600x331.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_.png\" alt=\"\" class=\"wp-image-41124\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_.png 633w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_-300x165.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/11\/CapesandEK_-600x331.png 600w\" sizes=\"(max-width: 633px) 100vw, 633px\" \/><\/a><\/figure>\n<p><strong>Payload seen<\/strong>: NjRAT<\/p>\n<h3>Maintaining a foothold<\/h3>\n<p>It&#8217;s interesting to see exploit kits alive and kicking, despite relying on aging vulnerabilities and a decrease in user base of both Internet Explorer and the Flash Player.<\/p>\n<p>In the past quarter, we&#8217;ve observed sustained malvertising activity and a diversity of malware payloads served. We can probably expect this trend to continue and perhaps even see new frameworks pop up. Even if it remains remote, we can&#8217;t discard the possibility of an exploit kit targeting one of the newer browsers.<\/p>\n<p>Consumer and enterprise users still running Internet Explorer are protected from these exploit kits with <a href=\"http:\/\/www.malwarebytes.com\/pricing\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Malwarebytes (opens in a new tab)\">Malwarebytes<\/a>.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/\">Exploit kits: fall 2019 review<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 19 Nov 2019 18:08:20 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/' title='Exploit kits: fall 2019 review'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/10\/shutterstock_697076155-1.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>With even more exploit kits in town, the drive-by download landscape shows continued activity in fall 2019.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/exploits-and-vulnerabilities\/\" rel=\"category tag\">Exploits and vulnerabilities<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/capesand\/\" rel=\"tag\">Capesand<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ek\/\" rel=\"tag\">EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kit\/\" rel=\"tag\">exploit kit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/fallout\/\" rel=\"tag\">Fallout<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/grandsoft\/\" rel=\"tag\">grandsoft<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/kaixin\/\" rel=\"tag\">KaiXin<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/magnitude\/\" rel=\"tag\">Magnitude<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/purple-fox\/\" rel=\"tag\">Purple Fox<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig\/\" rel=\"tag\">RIG<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spelevo\/\" rel=\"tag\">Spelevo<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/underminer\/\" rel=\"tag\">Underminer<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/' title='Exploit kits: fall 2019 review'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2019\/11\/exploit-kits-fall-2019-review\/\">Exploit kits: fall 2019 review<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[23487,10527,10534,22783,19945,17365,19147,7871,23488,11589,21791,19148],"class_list":["post-16932","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-capesand","tag-ek","tag-exploit-kit","tag-exploits-and-vulnerabilities","tag-fallout","tag-grandsoft","tag-kaixin","tag-magnitude","tag-purple-fox","tag-rig","tag-spelevo","tag-underminer"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16932"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16932\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16932"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}