An exploit kit is a web application that serves a lot of exploits. The idea behind this is to try and apply all kinds of permutations and combinations of exploits on the victim. A victim could be using any version of Internet Explorer with a version of Flash player installed in it. The exploit kit can have exploits for various versions of Flash and Internet Explorer for various versions of Windows. A code in an exploit kit usually checks for the operating system, browser versions, and browser plugins installed on the victim's machine and accordingly serves the exploit for that particular version. The code that does this is called the landing page. The landing page code works in a hidden way and the victim does not get any notifications regarding it. After the landing page gets the details of the victim, it delivers the suitable exploit that can compromise the victim. Usually, the landing page is highly obfuscated and security analysts find it hard to de-obfuscate:

The landing page is almost human unreadable. You can see that the variable name looks scrambled. Analysts use tools, such as malzilla, are use to de-obfuscate these landing pages. We will talk about analyzing and de-obfuscating JavaScript in a later part of the chapter.

Sometimes an exploit kit has another intermediate layer called a gate. An exploit kit gate does some extra checks before forwarding the control to the landing page. It checks for some basic functionalities, such as the operating system and region. If the exploit kit has only a Windows exploit, it is pointless in trying to use it on Linux or Mac operating systems. After confirming that the operating system of the victim is Windows, the gate redirects to the landing page, which checks for minute details, such as the operating system version, browser versions, and browser plugins. After profiling the victim, the landing page delivers a suitable attack that can compromise the victim. The gate can also check the geographical location of the victim.

The exploit kit is hosted on a web server and the URL is distributed. The most common technique used in the recent past was to inject these URLs in to legitimate sites. A victim can be infected by just visiting a legitimate site. We call this technique of spreading malware a drive-by-download attack. These legitimate sites could have web application vulnerabilities, such as cross-site scripting and so on, which could allow the attacker to inject the malicious URL into the website. The injected URL does not change any look and feel of the legitimate site and therefore the victim is not aware of the backend malicious activities. Hidden iframes containing the exploit kit URL are injected into legitimate sites. For those who have not come across it before, an iframe is an HTML tag that can be used to embed content from another HTML page. Here an iframe is used to redirect a clean site to a malicious site:

If the exploitation is complete, the shellcode (explained in Chapter 1, Exploits) downloads a malware. The malware can be a ransomware or a downloader (a downloader is described in section 4. Types of Malware in Chapter 1, Malware from Fun to Profit). A downloader is a malware that can be configured to download any other kind of malware. In the recent past, most exploit kits used to download versions of CryptoLocker. Bedep was a downloader which was downloaded by some exploit kits and which in turn was used to download ransomware.

It's been a decade since exploit kits were first discovered. The first exploit kit found in 2006 was the webattacker kit. Mpack was the second exploit kit and traces of Mpack were found at the end of 2006. Some popular exploit kits that followed include:

• Blackhole
• Angler
• Rig
• Neosploit
• Nuclear
• Sweet orange
• Magnitude
• Fiesta

These kits were distributed by spam emails and compromised websites. We will describe a few exploit kits involved in ransomware attacks later in this chapter, as well as in other chapters. Writing an exploit is extremely complex. The exploit kit can have 0-day exploits which were not seen earlier; therefore, a patch was not available to protect against it. So a lot of the time, it was hard to stop them. Many of these exploit kits were sold as tools in the underground market.

Hackers carry out exploit kit campaigns to spread the exploit kit to increase their coverage. Afraidgate, pseudo-Darkleech, and EITest are popular exploit kit campaigns. Campaigns can be identified by the way the compromised sites are infected.

The following is a snapshot of an injected iframe used in the pseduo-Darkleech campaign. This iframe was injected into a very popular legitimate site:

The iframe injected lies between the <span> tag followed by a <noscript> tag. The preceding campaigns were used by the nutrino exploit kit and downloaded CrypMIC ransomware. Darkleech is a malicious Apache web server module that injects malicious iframes into the hosted websites.

Other types of campaigns can be similarly recognized by their patterns.

We sometimes define the whole process of infection as a drive-by-download attack. The attacker visits the sites and without the victim's knowledge, his browser is redirected to exploit kit sites and ends up getting infected. We will go through a small case study of the rig exploit kit, which was used in the distribution of Cerber ransomware. I am using a pcap from http://www.malware-traffic-analysis.net/2016/12/26/index.html. The exploit kit uses a pseudo-Darkleech campaign:

The compromised site is infected and the iframe is injected into it:

The injected iframe redirects the victim to the landing page hosted on http://acc.MOBILALIBEY.COM/. The landing pages are highly obfuscated:

It is a highly obfuscated page. Needless to say, it would take a lot of time trying to read it. The landing page then delivers a flash exploit to the victim. After successful exploitation, the flash exploit downloads the Cerber ransomware.

Malvertising is another popular method used by hackers to victimize with exploit kits. Malvertising means advertising a great online business. A lot of sites offer to show advertisements related to your company. Many bloggers also integrate with advertising sites. The blogger gets revenue in return. Very popular sites can generate a lot of revenue for themselves by allowing advertisements on their sites. We see a lot of advertising in news sites. It's common for a normal user to see ads in lots of sites and forums. Attackers often compromise these advertisements and inject malicious code into them. When a user clicks on an advertisement generated from an ad from that site, he ends up getting compromised. The Angler exploit kit was spread in 2016 using malvertising.

We will talk about a few exploit kits that contributed to ransomware distribution in the following sections.