Web pests pour two exploit kits into one cup

RIG, Sundown, deployed in Java campaign.

Web pests have taken an unusal step and delivered two competing exploit kits for the price of one.

The feat, noted by Malwarebytes lead intelligence analyst Jérôme Segura, is rare in VXer circles. Perps usually pick one exploit kit and build a campaign around it.

Unlucky web users have therefore drunk from the cup of both the RIG and Sundown exploit kits, which execute if users allow malicious Javascript.

The attacks kill Windows Security Centre and deploy the recently-patched Internet Explorer zero day (CVE-2016-0189) and a Flash exploit (CVE-2015-8651).

"It is a little strange when you see an attack making use of two different exploit kits," Segura says.

"This has happened in the past, sometimes by accident, but remains an oddity.

"The case we are looking at today does not appear to be a fluke though because the payload being served by each exploit kit is identical, making this more likely a deliberate action either for testing purposes or to increase infection rates."

The testing happened in the shadow of the demise of Angler, until recently the most powerful and sought-after exploit kit on the market.

That kit boasted rapid integration of new vulnerabilities that made it able to employ zero day attacks on Flash, Java, and Silverlight.

It also employed a battery of complex obfuscation tricks including file-less infection and bypassing of Microsoft's lauded EMET security tool.

Its demise is largely a mystery to the security and intelligence community. ®

Biting the hand that feeds IT © 1998–2021