Two of the most popular exploit kits Angler and Nuclear are gone, with Neutrino and RIG being the leading crimekits now, though, still far from reaching the EK traffic registered just a couple months ago
While the developers of malware are turning to Neutrino and RIG for distribution purposes, as well as to other smaller EKs, the security experts are looking into how the threat landscape is evolving, and they are signaling a massive change. Still, the exploit kit traffic is just a small percentage of what it used to be: it dropped 96% since this April.
This summer starts with a major shift on the malware landscape, fueled by the apparent demise of some of the biggest names out there: the Angler and Nuclear exploit kits, along with the Necurs botnet, which brought down Dridex and Locky. The malware industry clearly took a hit when all these big names disappeared, but we shouldn’t open the champagne just yet, since others have already taken over their malicious activities.
The most interesting thing to note, however, is that a graph published by Proofpoint late last week suggests that Nuclear was still active during the second half of May.
Following Nuclear, the Necurs botnet suffered an outage at the end of May, which resulted in Dridex and Locky infections coming to an essential stop on June 1. Although their infection campaigns amounted to hundreds of millions of spam messages, the two pieces of malware were so tightly related to Necurs that they went down along with it, albeit they attempted slow recovery a few days later.
The largest hit that the malware industry took this year, however, was the death of Angler, which was the most used exploit kit out there, accounting for around two thirds of all EK traffic in the first three months of the year.
The general consensus among security researchers is that Angler, which was abusing recent Flash zero-days and was capable of evading Microsoft’s EMET, is dead, given that it has completely vanished from all infection chains on June 7. Starting with that date, the payloads usually dropped by Angler started being delivered by Neutrino, including the CryptXXX ransomware, which was seen being dropped by Angler since its initial appearance on the threat landscape.
The experts from Proofpoint claim that the switch from Angler to Neutrino wasn’t an overnight one, but Angler’s activity has been steadily dropping since early April, until it came to a full stop in the beginning of June. They also explain most of the Angler customers have migrated to Neutrino and RIG, but that Sundown is also showing small traffic.
CryptXXX ransomware was distributed via Neutrino before Angler’s disappearance too, but most of the biggest infection path migrated to it in June. The Proofpoint researchers also explained that CryptXXX’s shift from Angler to Neutrino was accompanied by a jump to the latter EK of threat actors who operate with traffic from high-profile malvertising chains or from compromised websites.
“By our estimates, Neutrino dropping CryptXXX account for as much as 75% of observed exploit kit traffic, and another 10% combined from Neutrino and Magnitude dropping Cerber ransomware. Most of the remaining 15% of EK traffic is RIG dropping a variety of payloads (banking Trojan, info stealers, loaders) on lower-value malvertising traffic, with various smaller EKs such as Sundown, Kaixin, Hunter and others making up the last 1% of total observed EK traffic,” Proofpoint stated.
Nevertheless, when compared to the beginning of April, the current EK traffic is insignificant, mainly because two major threat actors are seemingly suspending campaigns instead of migrating fully to Neutrino, Proofpoint says. They also note that the silence noticed after several months of very high-volume attacks and heavy traffic to Angler-compromised sites is striking and that the overall EK traffic is down 96% since two months ago.
According to Kaspersky Lab, Angler and Nuclear, which are considered two “market makers,” are almost completely out of the game. “As a result, groups that were distributing their malware through those exploit kits switched to using Neutrino and RIG exploit kits. For example, the group behind the CryptXXX ransomware switched over to Neutrino (early they worked only with Angler),” Anton Ivanov from Kaspersky Lab said..
“Currently we are seeing a rapid increase in the usage of the Neutrino exploit kit,” Ivanov added. The researchers explained to us that the Neutrino EK is currently used mainly for the distribution of the CryptXXX ransomware, while Magnitude is used to distribute the Cerber ransomware, and RIG is focused on spreading the Betabot Trojan.
However, what remains to be seen is how well Neutrino, RIG and Magnitude will manage to fill in for Angler and Nuclear. Neutrino EK’s effectiveness compared to Angler’s is questionable, especially when noticing the large contraction in worldwide EK activity that Proofpoint warns about.
According to Kafeine, it’s very difficult to pinpoint exactly the recent switch in EK activity, but users shouldn’t feel safer than before.
“Most of infection paths/vectors are still alive. Bad guys have switched weapons…but they are still firing,” Kafeine said. As long as there’s money to be made, cybercriminals are expected to either revive old projects or find new tools to conduct their nefarious operations. For that reason, it’s very important that users make sure they keep their software up to date at all times, to stay protected from the drive-by download attacks that EKs usually employ.