In October 2019, researchers at TrendMicro discovered a new exploit kit dubbed
Experts pointed out that the code of the
“In the middle of October, we found a
Trend Micro uncovered a
The analysis of the source code of the page revealed that its content was copied using the
“In the case we identified, the campaign deployed it with their fake
Another interesting aspect of the
The API request includes the following information on the victims:
The information is AES encrypted with a pre-generated API key
Further investigation allowed the experts to discover a version of Capesand using exploits for the following vulnerabilities:
“But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code.” states Trend Micro. “This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the
Experts discovered that crooks are also distributing malicious landing pages via mirrored versions of legitimate websites and use domain names similar to the originals to avoid detection.
“Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’.” concludes the analysis.
“In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,”
(SecurityAffairs – Capesand exploit kit, malware)