During 2016, we witnessed the collapse of three major exploit kits that were previously used for massive malware delivery: Nuclear (first), Angler and then Neutrino (later). Along with other more private EKs (such as Magnitude), they caused major damage in previous years and served as infection vectors for many malicious malware-distributing campaigns. But even before the disappearance of these EKs, we identified a decline in EK trade on the closed platform we monitor, with no offers of new exploit kits, frequent requests for recommending a good exploit kit that remained unanswered and multiple complaints from users of the existing EKs regarding low success rates.
With RIG being the last privately-traded EK and shortly before, with Neutrino on its last breath, it came as no surprise that evidence collected from the malware distribution campaign as early as June 2016 showed an almost 100% decline in exploit kit activity in just a few months.
Moreover, the demand for this kind of tool is so high that one of the sellers launched an automatic platform that creates an obfuscated loader build for subscribed clients. This automatic service includes access to an administration panel, where the client can produce malicious JScript files and specify their parameters – extension, name and the URL from which the main malware will be downloaded, with prices varying according to the obfuscation type and ranges, from $1-$2 for one loader stub. Specifically, we witnessed the increased use of JS loaders, as well as other malware strains, in recent Cerber and Locky campaigns.
In addition to the automated services described above, we detected some other loaders offered for sale during 2016: Godzilla Loader and Quant Loader were the most prominent and soon became active delivering malware.
Another old vector that regained popularity during 2016 is a malicious macro code embedded in Office files. Despite being an old trick disabled by default in new Office versions, this vector is vigorously exploited by cybercriminals that mainly use sophisticated social engineering traps to lure users into enabling macros. We spotted numerous new services offering to create Macro code-stuffed and obfuscated Office files (mainly Word, with Excel to a lesser extent), offered on Russian forums that quickly became real attack vectors in the wild.
In a closed forum discussion on the efficiency of JS and macro codes, the members concluded that as long as .js/.vbs/.wsf/.hta/.jse files hidden in a ZIP archive were not blocked by AV programs, they would remain an effective distribution vector, despite being old and infamous. This discussion perfectly illustrates the tendency of Russian cybercriminals to continue using JS script loaders and Macro code to deliver malware in the future.