{"id":15944,"date":"2019-07-30T09:10:09","date_gmt":"2019-07-30T17:10:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/07\/30\/news-9688\/"},"modified":"2019-07-30T09:10:09","modified_gmt":"2019-07-30T17:10:09","slug":"news-9688","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/07\/30\/news-9688\/","title":{"rendered":"Exploit kits: summer 2019 review"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 30 Jul 2019 16:20:33 +0000<\/strong><\/p>\n<p>In the months since our last <a rel=\"noreferrer noopener\" aria-label=\"spring review (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/exploit-kits-spring-2019-review\/\" target=\"_blank\">spring review<\/a>, there has been some interesting activity from several exploit kits. While the playing field remains essentially the same with Internet Explorer and Flash Player as the most-commonly-exploited, it is undeniable that there has been a marked effort from exploit kit authors to add some rather cool tricks to their arsenal.<\/p>\n<p>For example, several exploit kits are using session-based keys to prevent &#8220;offline&#8221; replays. This mostly affect security researchers who might want to test the exploit kit in the lab under different scenarios. In other words, a saved network capture won&#8217;t be worth much when it comes to attempting to reenact the drive-by in a controlled environment.<\/p>\n<p>The same is true for better detection of virtual machines and network tools (something known as <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/exploits\/2016\/08\/browser-based-fingerprinting-implications-and-mitigations\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"fingerprinting (opens in a new tab)\">fingerprinting<\/a>). Combining these evasion techniques with geofencing and VPN detection makes exploit kit hunting more challenging than in previous quarters.<\/p>\n<p>Threat actors continue to buy traffic from ad networks and use malvertising as their primary delivery method. Leveraging user profiling (their browser type and version, country of origin, etc.) from ad platforms, criminals are able to maintain decent load rates (successful infection per drive-by attempts).<\/p>\n<h3>Summer 2019 overview<\/h3>\n<ul>\n<li>Spelevo EK<\/li>\n<li>Fallout EK<\/li>\n<li>Magnitude EK<\/li>\n<li>RIG EK<\/li>\n<li>GrandSoft EK<\/li>\n<li>Underminer EK<\/li>\n<li>GreenFlash EK<\/li>\n<\/ul>\n<h3>Vulnerabilties<\/h3>\n<p>Internet Explorer\u2019s&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/05\/internet-explorer-zero-day-browser-attack\/\" target=\"_blank\">CVE-2018-8174<\/a>&nbsp;and Flash Player\u2019s&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/12\/new-flash-player-zero-day-used-russian-facility\/\" target=\"_blank\">CVE-2018-15982<\/a>&nbsp;are the most common vulnerabilities, while the older<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/\" target=\"_blank\">&nbsp;CVE-2018-4878<\/a>&nbsp;(Flash) is still used by some EKs.<\/p>\n<h3>Spelevo EK<\/h3>\n<p>Spelevo EK is the youngest exploit kit, originally <a href=\"https:\/\/twitter.com\/kafeine\/status\/1103649040800145409\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"discovered (opens in a new tab)\">discovered<\/a> in March 2019, but by no means is it behind any of its competitors. <\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39721\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/spelevo_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_.png\" data-orig-size=\"634,643\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"spelevo_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_-296x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_-592x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_.png\" alt=\"\" class=\"wp-image-39721\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_.png 634w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_-296x300.png 296w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/spelevo_-592x600.png 592w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/figure>\n<p>Payloads seen: PsiXBot, IcedID<\/p>\n<h3>Fallout EK<\/h3>\n<p>Fallout EK is perhaps one of the more interesting exploit kits. <a rel=\"noreferrer noopener\" aria-label=\"Nao_Sec (opens in a new tab)\" href=\"https:\/\/twitter.com\/nao_sec\" target=\"_blank\">Nao_Sec<\/a> did a thorough <a rel=\"noreferrer noopener\" aria-label=\"writeup (opens in a new tab)\" href=\"https:\/\/nao-sec.org\/2019\/07\/steady-evolution-of-fallout-v4.html\" target=\"_blank\">writeup<\/a> on it recently, showing a number of new features in its version 4 iteration.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39722\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/fallout\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout.png\" data-orig-size=\"634,700\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"fallout\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout-272x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout-543x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout.png\" alt=\"\" class=\"wp-image-39722\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout.png 634w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout-272x300.png 272w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/fallout-543x600.png 543w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/figure>\n<p> Payloads seen: AZORult, Osiris, Maze ransomware<\/p>\n<h3>Magnitude EK<\/h3>\n<p>Magnitude EK continues to target South Korea with its own Magniber ransomware in steady malvertising campaigns.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39724\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/magnitude-5\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude.png\" data-orig-size=\"634,652\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"magnitude\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude-292x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude-583x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude.png\" alt=\"\" class=\"wp-image-39724\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude.png 634w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude-292x300.png 292w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/magnitude-583x600.png 583w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/figure>\n<p>Payload seen: Magniber ransomware<\/p>\n<h3>RIG EK<\/h3>\n<p>RIG EK is still kicking around via various malvertising chains and perhaps offers the most diversity in terms of the malware payloads it serves.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39723\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/rig-4\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG.png\" data-orig-size=\"634,677\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"RIG\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG-281x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG-562x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG.png\" alt=\"\" class=\"wp-image-39723\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG.png 634w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG-281x300.png 281w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/RIG-562x600.png 562w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/figure>\n<p>Payloads seen: ERIS, AZORult, Phorpiex, Predator, Amadey, Pitou<\/p>\n<h3>GrandSoft EK<\/h3>\n<p>GrandSoft EK remains the weakest exploit kit of the bunch and continues to drop Ramnit in Japan.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39725\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/grandsoft-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft.png\" data-orig-size=\"636,496\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"grandsoft\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft-300x234.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft-600x468.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft.png\" alt=\"\" class=\"wp-image-39725\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft.png 636w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft-300x234.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/grandsoft-600x468.png 600w\" sizes=\"(max-width: 636px) 100vw, 636px\" \/><\/figure>\n<p>Payload seen: Ramnit<\/p>\n<h3>Underminer EK<\/h3>\n<p>Underminer EK is a rather complex exploit kit with a <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/05\/hidden-bee-lets-go-down-the-rabbit-hole\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"complex payload (opens in a new tab)\">complex payload<\/a> which we continue to observe via the same delivery chain.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39726\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/underminer\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer.png\" data-orig-size=\"632,777\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"underminer\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer-244x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer-488x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer.png\" alt=\"\" class=\"wp-image-39726\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer.png 632w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer-244x300.png 244w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/underminer-488x600.png 488w\" sizes=\"(max-width: 632px) 100vw, 632px\" \/><\/figure>\n<p>Payload seen: Hidden Bee<\/p>\n<h3>GreenFlash Sundown EK<\/h3>\n<p>The elusive GreenFlash Sundown EK marked a surprise return via its ShadowGate in a large <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/06\/greenflash-sundown-exploit-kit-expands-via-large-malvertising-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"malvertising campaign (opens in a new tab)\">malvertising campaign<\/a> in late June.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39727\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/attachment\/greenflash\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash.png\" data-orig-size=\"633,698\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"greenflash\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash-272x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash-544x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash.png\" alt=\"\" class=\"wp-image-39727\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash.png 633w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash-272x300.png 272w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/greenflash-544x600.png 544w\" sizes=\"(max-width: 633px) 100vw, 633px\" \/><\/figure>\n<p>Payloads seen: Seon ransomware, Pony, coin miner<\/p>\n<h3>Pseudo-EKs<\/h3>\n<p>A few other drive-bys were caught during the past few months, although it might be a stretch to call them exploit kits.<\/p>\n<ul>\n<li><a rel=\"noreferrer noopener\" aria-label=\"azera drive-by (opens in a new tab)\" href=\"https:\/\/twitter.com\/jeromesegura\/status\/1148289957716344832?s=20\" target=\"_blank\">azera drive-by<\/a> used the PoC for CVE-2018-15982 (Flash) to drop the ERIS ransomware<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\"Radio EK (opens in a new tab)\" href=\"https:\/\/nao-sec.org\/2019\/07\/weak-dbd-attack-with-radioek.html\" target=\"_blank\">Radio EK<\/a> leveraged CVE-2016-0189 (Internet Explorer) to drop AZORult<\/li>\n<\/ul>\n<h3>Three years since Angler EK left <\/h3>\n<p>June 2016 is an important date for the web threat landscape, as it marks the <a rel=\"noreferrer noopener\" aria-label=\"fall of Angler EK (opens in a new tab)\" href=\"http:\/\/malware.dontneedcoffee.com\/2016\/06\/is-it-end-of-angler.html\" target=\"_blank\">fall of Angler EK<\/a>, perhaps one of the most successful and sophisticated exploit kits. Since then, exploit kits have never regained their place as the top malware delivery vector. <\/p>\n<p>However, since our spring review, we can say there have been some notable events and interesting campaigns. While it&#8217;s hard to believe that users are still running machines with outdated Internet Explorer and Flash Player versions, this renewed activity proves us wrong.<\/p>\n<p>Although we have not mentioned router-based exploit kits in this edition, they are still a valid threat that we expect to grow in the coming months. Also, if exploit kit developers start <a rel=\"noreferrer noopener\" aria-label=\"branching out of Internet Explorer (opens in a new tab)\" href=\"https:\/\/www.zdnet.com\/article\/mozilla-patches-firefox-zero-day-abused-in-the-wild\/\" target=\"_blank\">branching out of Internet Explorer<\/a> more, we could see far more serious attacks.<\/p>\n<p>Malwarebytes users are protected against the aforementioned drive-by download attacks thanks to our products&#8217; anti-exploit layer of technology.<\/p>\n<h3>Indicators of Compromise (URI patterns)<\/h3>\n<p><strong>Spelevo EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxp[:\/\/]shark[.]denizprivatne[.]top\/barbati-sofia-embed\/?id=1fljh8pgb4al2st1r7ui0<br \/>hxxp[:\/\/]shark[.]denizprivatne[.]top\/?0186ccfc2affa291487611b&amp;id=1fljh8pgb4al2st1r7ui0<br \/>hxxp[:\/\/]shark[.]denizprivatne[.]top\/?8f80b9323f2533ck&amp;id=1fljh8pgb4al2st1r7ui0<br \/>hxxp[:\/\/]shark[.]denizprivatne[.]top\/?8f80b9323f2533cbfe19e0483c81dc8b72294a&amp;id=1fljh8pgb4al2st1r7ui0<\/pre>\n<p><strong>Fallout EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxps[:\/\/]koreadec[.]com\/florulas_8867_11392\/brTl\/1917-08-03[.]phtml?Patining=eEo<br \/>hxxps[:\/\/]koreadec[.]com\/4688-garuda\/bSkUK\/1998_08_17\/cokernut-plumages-giglio?misbind=udaler<br \/>hxxps[:\/\/]koreadec[.]com\/7314\/uAFs\/sericins\/vdJCwq?cjosx=Sturnine-amadous-6883<br \/>hxxps[:\/\/]koreadec[.]com\/VfZ\/9541_Plucky\/apothgm\/Purified-Beatifies[.]xhtml?carafe=9109&amp;TIo=nepotious-5579-10022&amp;STlvZ=6372<br \/>hxxps[:\/\/]koreadec[.]com\/thereckly_Theatry_lamenter\/movant-13555-Procotton\/11235\/6428-14646-9953?XG53=ethanes-ekename-aldeament&amp;Betwixt=untoggler-6715-anoles&amp;aHvBI=2guk<br \/>hxxps[:\/\/]koreadec[.]com\/07_11_1981\/Bassalian\/mUU?aplites=zH1Koq&amp;fBRR=7541_9162_witterly<br \/>hxxps[:\/\/]koreadec[.]com\/florulas_8867_11392\/brTl\/1917-08-03[.]phtml?Patining=eEo<br \/>hxxp[:\/\/]koreadec[.]com\/sSf\/Narcotise\/tenderer_Tigerfoot_Spackle<\/pre>\n<p><strong>Magnitude EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxp[:\/\/]tryfilm[.]site\/<br \/>hxxp[:\/\/]cb0p36s1o7v352ddmb[.]outwith[.]space\/<br \/>hxxp[:\/\/]e7meue9m8hc243ja5dp8q[.]wroteon[.]club\/<br \/>hxxp[:\/\/]wroteon[.]club\/10x1b0n236fm0<\/pre>\n<p><strong>RIG EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxp[:\/\/]212[.]109[.]198[.]22\/?NDE0MzU1&amp;iZdZ&amp;skJLa=known&amp;ljQicPIO=criticized&amp;PbvRlP=detonator&amp;t4gfhtgf4=xfQlKrcFPArhjUODfwIwyIZaUVwb96n8ikbXwRPJgJ_UrxSLNwJEqaKlJLd_mhj2&amp;bmSJmU=vest&amp;IabEYxV=strategy&amp;ffffghds=w3nQMvXcJxfQFYbGMvPDSKNbNknWHViPxomG9MildZeqZGX_k7XDfF-qoVrcCgWR&amp;qRrScLDp=difference&amp;tNEKEWCG=known&amp;qAVUDc=criticized&amp;RWWa=already&amp;NAaUs=difference&amp;tqHbh=referred&amp;XSZz=professional&amp;QqbDBluKn=referred&amp;riObvJqGb=heartfelt&amp;RTXBW=difference&amp;QEcvAFNjYzNTc=<br \/>hxxp[:\/\/]212[.]109[.]198[.]22\/?NDA5MTgw&amp;BXhmtpFbq&amp;rQLwisIbKvO=constitution&amp;yMpSuTkuRhu=known&amp;EPxLjfEgMobx=perpetual&amp;nxAaNt=strategy&amp;VKoMoenBvZEBoJ=already&amp;t4gfhtgf4=8vUoeLNQPQXihEHRLw1mn4ZUUlpB86umi0aAyUDOgZHU-xTbUQ5G_5qcFoF4nwvF&amp;ffffghds=wXbQMvXcJwDQA4bGMvrESLtMNknQA0KK2Ij2_dqyEoH9fGnihNzUSkr76B2aCm3Z&amp;EuhiAT=strategy&amp;IIwiBsrVTzN=community&amp;LTSPgukgZMu=golfer&amp;WHJVKfgHYyhBKA=already&amp;ruFaROBjfxdFlTw=referred&amp;erHmTrM=community&amp;rZYXaPLBZQZ=constitution&amp;alUaYovES=referred&amp;PAmrMcgpepI=golfer&amp;kWSrADlsss=professional&amp;xftTftqdNDIyNjk0<br \/>hxxp[:\/\/]212[.]109[.]198[.]22\/?NjMxNjg5&amp;VhOoAwzH&amp;BQMlhROymiqqMuw=blackmail&amp;GhAssHkhgxqw=community&amp;DegGfd=perpetual&amp;gquWWCtuJtSPU=known&amp;rAGXUesC=perpetual&amp;zLRRtbwijFH=heartfelt&amp;CIklccbXNmonSm=detonator&amp;gaxgBSvwPv=heartfelt&amp;sHkEPhjzv=constitution&amp;EKoVAfMMJrfDqut=community&amp;YDYZAvpVWZjDdO=blackmail&amp;QRRmDFtTZ=blackmail&amp;ffffghds=w3bQMvXcJxfQFYbGMv3DSKNbNkfWHViPxoeG9MildZmqZGX_k7rDfF-qoVvcCgWRxfUlKr&amp;yuImXnAAw=professional&amp;CFnDimnJDGPFi=wrapped&amp;t4gfhtgf4=cFPArhjUODfwIwyIZaUV0b96n8ikbXwRPJgJ_UrxSLNwJEqaKcHbYy0VT8xrkdQJZnxBCy&amp;NrzaCYKBrsfbC=golfer&amp;WYYKaQVuhFBMjM2MDg4<\/pre>\n<p><strong>GrandSoft EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxp[:\/\/]pas[.]oxide[.]pimmar[.]fun\/chihuahua-posting[.]php<br \/>hxxp[:\/\/]pas[.]oxide[.]pimmar[.]fun\/getversoinpd\/1\/2\/3\/4<br \/>hxxp[:\/\/]pas[.]oxide[.]pimmar[.]fun\/9\/110546<\/pre>\n<p><strong>Underminer EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxp[:\/\/]67[.]198[.]185[.]101\/XKIOEEEEE[.]KDJDD[.]php<br \/>hxxp[:\/\/]67[.]198[.]185[.]100\/1Hqmyt597XO0ZNj9tXit7HZOMroEJu8c[.]php<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/index[.]php?ad_id=I27cHv2i8QxDkXOJWhnMGw&amp;re=I27cHv2i8QxDkXOJWhnMGw&amp;rt=I27cHv2i8QxDkXOJWhnMGw&amp;id=9088&amp;zone=I27cHv2i8QxDkXOJWhnMGw&amp;prod=I27cHv2i8QxDkXOJWhnMGw&amp;lp=Type&amp;st=I27cHv2i8QxDkXOJWhnMGw&amp;e=1563981076&amp;y=203384173015<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/js\/e1cuqrhmik66gu7pr90qk9v3p8[.]js<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/pubs\/servlet[.]php?fp=39fe6ccb473b08362ae067b8c0ee865d&amp;lang=en-US&amp;token=&amp;id=49457&amp;sign=5eed006ae06584a03f969b9cd3558c28&amp;validate=13b96b0bb8ac2a105d07f7c8b701f240<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/views\/31ftap0qcljocims1ubickgps8[.]html<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/logo[.]swf<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/static\/encrypt[.]min[.]js<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/static\/tinyjs[.]min[.]js<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/js\/ftp22vfljscml2370rsritui9g[.]js<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/views\/dlke6si3fr3spi30btq624ghlg[.]html<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/pubs\/article[.]php?id=471b68c405614637d03b31b4d3155244<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/views\/ul2tuocpr2isi9pperindatp3c[.]ocx[.]gz<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/views\/m7sg0k3fcvrdre8psojjlu8r2c[.]txt<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/views\/a9pf63bef3ujd1u7r6v9dda0mk[.]wav<br \/>hxxp[:\/\/]38[.]75[.]137[.]9:9088\/pubs\/wiki[.]php?id=91f093921cbb802ee2d2a22d8a4a1135<\/pre>\n<p><strong>GreenFlash Sundown EK<\/strong><\/p>\n<pre class=\"wp-block-preformatted\">hxxps[:\/\/]fastimage[.]site\/act_image[.]html<br \/>hxxps[:\/\/]fastimage[.]site\/act_image[.]html?mercy=FdMzpfikLihAnNPppGIucrCHLfiIPE0UYY9ocxDP7RzUlUu6%2BcEavY5yGiQn8ogYce3E0sgs06B1y9%2BnxZhQCg%3D%3D&amp;liberty=djji1ghk3gtx&amp;bubble=RUDOpbnkAS1xQHVxflacRzfZxQ%3D%3D<br \/>hxxps[:\/\/]fastimage[.]site\/uptime[.]js<br \/>hxxp[:\/\/]adsfast[.]site\/crossdomain[.]xml<br \/>hxxp[:\/\/]adsfast[.]site\/index[.]php<br \/>hxxp[:\/\/]accomplishedsettings[.]cdn-cloud[.]club\/crossdomain[.]xml<br \/>hxxp[:\/\/]accomplishedsettings[.]cdn-cloud[.]club\/index[.]php<br \/>hxxp[:\/\/]accomplishedsettings[.]cdn-cloud[.]club\/index[.]php<br \/>hxxp[:\/\/]accomplishedsettings[.]cdn-cloud[.]club\/index[.]php?58f3d135=AwNt6IfxFIvMI5IVpwl86cW8Vw67HxZLI%2BxIxOVtVcp5LRaaMtmhuElGqOGKWUki92GcJmgL0gwOElyFUkW%2FzdQ1y8Ov8MxNATzL7HlkXp5%2FtFmbrh3TWgiJ1QvTmcEwbx66CaLWd2ekFpng2ky4fKUtGRibaY8Eyjcio3ZyibnhUVlW5CpiWNiz02jHD41t%2F9NDPteWGIO1ysm2%2B4%2Bu9osgKIW1%2BmGxVxMGaRby3g%2FBaqw%3D<br \/>hxxp[:\/\/]accomplishedsettings[.]cdn-cloud[.]club\/index[.]php?58f3d135=AwNt6IfxFIvMI5IVpwl86cW8Vw67HxZLI%2BxIxOVtVcp5LRaaMtmhuElGqOGKWUki92GcJmgL0gwOElyFUkW%2FzdQ1y8Ov8MxNATzL7HlkXp5%2FtFmbrh3TWgiJ1QvTmcEwbx66CaLWd2ekFpng2ky4fKUtGRibaY8Eyjcio3ZyibnhUVlW5CpiWNiz02jHD41t%2F9NDPteWGIO1ysu3%2Fo%2Bt9IsgKIW1%2BmGxVxMGaRby3g%2FBaqw%3D<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/\">Exploit kits: summer 2019 review<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 30 Jul 2019 16:20:33 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/' title='Exploit kits: summer 2019 review'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/shutterstock_607647752.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In this edition of our seasonal review of exploit kits, we review active and unique EKs hitting consumers and businesses over the summer 2019 season.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/drive-by\/\" rel=\"tag\">drive-by<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ek\/\" rel=\"tag\">EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/eks\/\" rel=\"tag\">EKs<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kits\/\" rel=\"tag\">exploit kits<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploits\/\" rel=\"tag\">exploits<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/fallout\/\" rel=\"tag\">Fallout<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/greenflash-sundown\/\" rel=\"tag\">GreenFlash Sundown<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/magnitude\/\" rel=\"tag\">Magnitude<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig\/\" rel=\"tag\">RIG<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spelevo\/\" rel=\"tag\">Spelevo<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/underminer\/\" rel=\"tag\">Underminer<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/' title='Exploit kits: summer 2019 review'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/\">Exploit kits: summer 2019 review<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[17486,10527,11787,10528,10987,19945,17951,7871,11589,21791,10494,19148],"class_list":["post-15944","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-drive-by","tag-ek","tag-eks","tag-exploit-kits","tag-exploits","tag-fallout","tag-greenflash-sundown","tag-magnitude","tag-rig","tag-spelevo","tag-threat-analysis","tag-underminer"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15944"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15944\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}