Cybercriminals constantly keep evolving and introducing new and sophisticated versions of various threats targeted at consumers and businesses.
One such evolving threat is an exploit kit. Kaspersky researchers have observed the rise of a very sophisticated exploit kit in the past 12 months, known as Magnitude EK, which has been constantly evolving and targeting Asia Pacific (APAC) countries to deliver ransomware viamalvertising, which is the spread of malware through online advertisements.
Magnitude EK is one of the longest-standing exploit kits. It was on offer in underground forums from 2013 and later became a private exploit kit. In February 2020, Magnitude EK switched to an exploit for the more recent vulnerability CVE-2019-1367 in an outdated web browser which is originally discovered as an exploited zero-day in the wild. Kaspersky’s statistics show that this campaign continues to target APAC countries to this day, and during the last year, Magnitude EK was always seen using its own ransomware as a final payload.
Like the majority of exploit kits out there, in 2019 Magnitude EK used CVE-2018-8174. However, the attackers behind Magnitude EK were one of the first to adopt the much newer vulnerability CVE-2019-1367 and they have been using it as their primary exploit since February 11, 2020.
Magnitude EK uses its own ransomware as its final payload. The ransomware comes with a temporary encryption key and list of domain names and the attackers keep changing them frequently. Files are encrypted with the use of Microsoft CryptoAPI and the attackers use Microsoft Enhanced RSA and AES Cryptographic Provider (PROV_RSA_AES). The ransomware doesn’t encrypt the files located in common folders such as documents and settings, app data, local settings, sample music, tor browser, etc. Before encryption, the extensions of files are checked against a hash table of allowed file extensions that contains 715 entries. A ransom note is left in each folder with encrypted files and at the end a notepad.exe process is created to display the ransom note. After encryption the ransomware also attempts to delete backups of the files.
Example of Magnitude EK ransom note
“With the levels of sophistication used by cybercriminals today, it becomes an arduous task to catch up with the evolving threat landscape. Zero day vulnerabilities are very risky for businesses, critical infrastructures, government and financial institutions and consumers who are availing themselves to the exposed browser or networks. Regularly updating the operating systems and software in our devices is a cardinal step to be followed. In addition to this alertness and awareness by people also helps greatly in terms of detecting a vulnerability and patching it in order to mitigate the risks of a zero-day vulnerability, before it is exploited by the cybercriminals”, explained Mr. Dipesh Kaura, General Manager for South Asia, Kaspersky.
“Storing back-up for important data is a basic step that needs to be taken especially by enterprises and government institutions in order to fight against attacks like ransomware”, added Mr. Kaura.
“The implementation of the Magnitude EK technique in its latest variant was an interesting discovery. We observed that the exploit kit used the elevation of privilege exploit, which were initially difficult to recognize. Although exploit kits may be less rampant today, but they prove to be actively maintained and ever-evolving, which remains a threat to users,” Boris Larin, Senior Security Researcher, Russia, Kaspersky.
Although attacks by exploit kits has decreased over the years, they still exist, are still active, and still pose a threat. Magnitude is not the only active exploit kit and there are other exploit kits that are also switching to newer exploits for the browser.
To stay safe from such attacks, Kaspersky recommends the following:
- Regularly installing security updates
- Migrating to a newer operating system (make sure you stay up to date with Windows 10 builds)
- Use a reliable security solution like Kaspersky Internet Security, that employs a technology known as Automatic Exploit Preventionwhich uses the information about the most typical behaviour of the known exploits that further helps to prevent infection even in the case of a previously unknown zero-day vulnerability exploit.
The detailed report is available at Securelist.com
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
