Exploit kits are frequently used to deliver malware payloads onto victim systems. Clicking a malicious link in a phishing email, visiting a compromised site, or malvertising on a legitimate site are among the techniques most commonly used by threat actors to lead victims to exploit kit (EK) servers. In late August, Proofpoint researchers detected an infection attempt via malvertising that showed just how popular these services can be with threat actors.
The details are discussed in a new blog post which can be found here, however key takeouts are listed below:
Proofpoint has witnessed a new trend towards multiple-payload attacks, effectively rendering impacted systems unrecoverable, with associated financial and productivity impact.
Instead of a single payload, such as a remote access tool or ransomware, these attacks deploy a veritable 'clown car' of malware. What appears to be single initial small incursion continues to download and unpack an ongoing chained series of multiple forms of malware, including multiple adware, remote access, ransomware, and other forms of malware. This flood of infection means it's almost impossible for threat response teams to do remediation, as they can't be sure a targeted system is ever again 'clean'; better to wipe the hard drive (or even trash the system) and start over.
Rental of an exploit service can cost an actor up to thousands of dollars per month, so it is natural for actors to want to maximize their chances at infection by using malware payloads rendered “Fully Undetectable” (or FUD) by obfuscation services and aggressively selling traffic and spam services. Conversely, high demand for a particular EK can tempt the owner to maximize their revenue opportunity by selling every infection opportunity to as many affiliates as possible. As this example shows, this can lead to payload after payload dropping out of a long infection chain that highlights the fact that today’s infections are rarely matter of a single exploit delivering a single payload… and in this case resulting in a client that is for all intents and purposes unrecoverable.