Exploit Kits: How They Work and How to Protect Yourself

Imagine shopping for a hacking tool. One that can be operated without any expertise in cybersecurity — the tool is fully developed, managed and updated, and available on a subscription basis. 

This is the reality of exploit kits, which are software tools built to exploit vulnerabilities automatically, with minimal effort on the part of the user. Cybercrime marketplaces in the dark web often mirror the “as-a-Service” software industry. Anyone can purchase fully-functional tools to execute drive-by download attacks on unsuspecting users of vulnerable technologies, systems and services online.

Today, we’re exploring this malicious market favorite and taking a deep dive into the world of exploit kits. Here’s everything you need to know about these dangerous attack tools.

What is an exploit kit?

An exploit kit is a malicious software toolkit designed to automatically target and exploit known vulnerabilities in: 

  • Web browsers
  • Plugins 
  • All kinds of software applications 

These are often developed for and sold to hobbyist hackers and small-time malicious actors rather than organized cybercrime groups, but that doesn’t make them any less threatening. 

Exploit kits cover a gap in a cybercriminal’s toolbox. They may want to rely on simple and automated tools to launch a large-scale cyberattack but lack the resources to build such systems on their own — an exploit kit can solve that problem for them, and in turn, cause major problems for you.

How exploit kits work

Exploit kits typically target simple and known vulnerabilities that any malicious actor can exploit and execute a drive-by malware payload delivery with a few simple clicks. These “drive-by” payloads install malware without the knowledge or authorization of the target user. Often, this is carried out through the form of a malicious redirect followed by social engineering tactics to make the redirect appear legitimate.

The tools operate in the same way as a standard HTTP server-side application that responds to a network request. Exploit kits include a decision-making module that fingerprints the target object via a standard HTTP request. The resulting URL query string details are run against a list of browser extensions, plugins or software based on Adobe Flash or Java. The code determines whether the target’s version contains a known vulnerability and matches it with the available exploits. If there’s a match, the attack is carried out.

Several open-source components are used to develop an exploit kit, including:

  • PHP scripting engines
  • Apache web servers
  • MySQL databases

These are paired with an infrastructure to communicate from the client side of the application to a backend command-and-control center responsible for distributing the appropriate malware payload.

Exploit kits are fairly advanced from a usability perspective. New exploits are frequently added to target new vulnerabilities that may remain under the radar for unsuspecting users. These kits also typically have an administration user interface that allows users to perform some configurations and provide stats for further analysis on the exploitation process. 

With all of this functionality, attacks can become easier than ever. Unsurprisingly, it has also led to some high-profile attacks.

Examples of exploit kit attacks

Consider the example of the popular HanJuan exploit kit that allowed cybercriminals to deliver “malvertisements” and banking trojans by exploiting zero-day vulnerabilities in the Flash player used by millions of websites in 2015. 

The exploit began with the popular adf.ly redirect. Following a complex redirect chain, the exploit kit identified the vulnerabilities in the Flash player and Internet Explorer, before dropping a malicious payload with several layers of encryption. Here’s a quick summary overview of the attack kill chain:

  • The interstitial ad loads via JavaScript code execution.
  • Multiple redirections take place before the intended URL containing target-specific details such as browser versions are loaded via a Cross-Origin Resource Sharing mechanism.
  • The HTTP header Access-Control-Allow-Origin validates permissions to exchange information between the client and the command and control center.
  • The redirect makes the connection with a malicious website containing the exploit payload.
  • The exploit includes a Flash exploit and an Internet Explorer Exploit. Once the payload is delivered via a random URL and the associated .dat extension.

Once the browser injection is completed, the attacker has several exploit options depending on the versions of the browser and its plugins. For instance, the Fobber malware could be used to steal login credentials of Google login credentials before they were encrypted and transmitted to the backend servers for authentication

Similarly, malware could be used to capture sensitive financial information and login credentials, potentially allowing cybercriminals to steal directly from the financial accounts of their target victims.

With popular exploit kits like this causing major damage, it’s important to be proactive and prepared. Here are some ways you can defend against these types of attacks.

Protecting yourself from exploit kits

The effectiveness of an exploit kit relies on two key factors: 

  • Social engineering 
  • System vulnerabilities 

Look out for social engineering cues

Since most exploit kits are designed to target at scale and compromise any victim that falls prey to the attack, these tools rely on simple and automated execution capabilities. Since they’re not designed to target a specific entity, their social engineering messaging is often generic. This makes it easy to spot malvertisements and messaging encouraging readers to hit a suspicious download button or a hyperlink.

Social engineering might appear as any of the following:

Quickly repair vulnerabilities

Vulnerable systems are difficult to control, especially in enterprises and business organizations that undergo a rigid governance process for patch management and software updates. 

If your organization lacks an efficient mechanism to push available security updates to vulnerable systems, chances are that users within your organization are prime targets to cybercriminals employing exploit kits as part of a large-scale cyber-attack. 

Automatic updates can be a great way to ensure that you’re receiving critical security updates promptly, and before attackers can make use of known vulnerabilities in previous software versions.

Limit user privileges

As with any other attack type, you can minimize the impact by following the principle of least privilege. By giving users only the permissions necessary to perform their tasks, you can lower the probability that a compromised account will be able to interact with your most sensitive data or systems.

Foster cyber threat intelligence 

Education is at the core of any defense strategy. After all, it can be difficult to avoid attacks if you’re not sure what to look for. Staying up to date with cyber threats and educating teams and stakeholders on safety measures is critical, especially when a primary aspect of exploit kits is social engineering. 

Your team should be cautious of suspicious emails that play on urgency or fear, and should carefully vet links and attachments being sent their way.

Implement prevention & detection systems

One tool we can use to stop exploit kits in their tracks is to implement intrusion prevention/detection systems (IPS/IDS). By scanning for network traffic signatures of known attack scripts, these systems can detect and block attacks before they compromise your data. Just as exploit kits share known exploits, cybersecurity pros can share defense knowledge and prepare safeguards that don’t interfere with legitimate network traffic.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Muhammad Raza
Posted by

Muhammad Raza

Muhammad Raza is a technology writer who specializes in cybersecurity, software development and machine learning and AI.