Exploit Kits Out, Loaders and Macros Back in

During 2016, we witnessed the collapse of three major exploit kits that were previously used for massive malware delivery: Nuclear (first), Angler and then Neutrino (later). Along with other more private EKs (such as Magnitude), they caused major damage in previous years and served as infection vectors for many malicious malware-distributing campaigns. But even before the disappearance of these EKs, we identified a decline in EK trade on the closed platform we monitor, with no offers of new exploit kits, frequent requests for recommending a good exploit kit that remained unanswered and multiple complaints from users of the existing EKs regarding low success rates.

With RIG being the last privately-traded EK and shortly before, with Neutrino on its last breath, it came as no surprise that evidence collected from the malware distribution campaign as early as June 2016 showed an almost 100% decline in exploit kit activity in just a few months.

Timeline of four of the most prominent exploit kits active in recent years

However, nature abhors a vacuum, and indeed, enterprising malware developers came up with a new-old distribution vector – loaders. Albeit never having ceased their activity (Andromeda loader, for example, has been sold continuously since 2011), in 2016 we saw intensive effort invested in the development of loader software, particularly those using JavaScript.

Moreover, the demand for this kind of tool is so high that one of the sellers launched an automatic platform that creates an obfuscated loader build for subscribed clients. This automatic service includes access to an administration panel, where the client can produce malicious JScript files and specify their parameters – extension, name and the URL from which the main malware will be downloaded, with prices varying according to the obfuscation type and ranges, from $1-$2 for one loader stub. Specifically, we witnessed the increased use of JS loaders, as well as other malware strains, in recent Cerber and Locky campaigns.

The advertisement for JS Loader service – an automatic platform that produces obfuscated JS loaders

In addition to the automated services described above, we detected some other loaders offered for sale during 2016: Godzilla Loader and Quant Loader were the most prominent and soon became active delivering malware.

Sales threads of Godzilla Loader and Quant Loader

Another old vector that regained popularity during 2016 is a malicious macro code embedded in Office files. Despite being an old trick disabled by default in new Office versions, this vector is vigorously exploited by cybercriminals that mainly use sophisticated social engineering traps to lure users into enabling macros. We spotted numerous new services offering to create Macro code-stuffed and obfuscated Office files (mainly Word, with Excel to a lesser extent), offered on Russian forums that quickly became real attack vectors in the wild.

Services for Office files with embedded macro code offered on Russian forums

In a closed forum discussion on the efficiency of JS and macro codes, the members concluded that as long as .js/.vbs/.wsf/.hta/.jse files hidden in a ZIP archive were not blocked by AV programs, they would remain an effective distribution vector, despite being old and infamous. This discussion perfectly illustrates the tendency of Russian cybercriminals to continue using JS script loaders and Macro code to deliver malware in the future.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s