Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.
Last week I reported the news of the improvements of the Stegano Exploit kit, today we will speak about the Terror exploit kit that now includes fingerprinting capabilities.
The Terror Exploit Kit first appeared in the threat landscape in January 2017, in April experts observed a significant increase of hacking campaigns leveraging the EK.
Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).
The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).
Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.
The Terror EK was also involved in a campaign using a different landing page that distributes the Andromeda malware.
The compromised websites were used to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.
The powerful exploit kit was observed carpet bombing victims using many exploits at the same time, but now experts from Talos group observed a significant change in their tactic. News of the day is that the Terror Exploit Kit was improved with new exploits and implemented fingerprinting abilities. These latter features allow the EK to determine what exploit would be used in order to compromise the target system.
The new variant of the Terror Exploit Kit was able to determine the specific OS running on the victim’s PC, the browser version, installed security patches and plugins.
The researchers were served different files when accessing the site via different browsers, such as Internet Explorer 11 or Internet Explorer 8.
Talos malware researchers identified a potentially compromised legitimate website that operates as a malware gate. The website was initially used to redirect visitors to a RIG landing page, after a single day of analysis the gate switched to Terror exploit kit.
“Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim’s environment and then picks potentially successful exploits depending on the victim’s operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.” reads the analysis published by Talos.
“It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.”
The compromised website discovered by Talos experts redirects users to the EK landing page by using an HTTP 302 Moved Temporarily response, like previous campaigns.
The EK also uses cookie-based authentication for downloading the exploits, which prevents third-parties from accessing them, the security researchers discovered. This approach prevents not only investigators from learning where from or how the victims were infected, but also stops competitors from stealing the exploits.
“We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving their quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date,” concluded Talos.
(Security Affairs – Terror Exploit Kit, hacking)