Kaspersky Lab Specialist Boris Larin for a year studied and analyzed the evolution of one of the most advanced and oldest exploit kits, Magnitude. It turned out that he is still actively supported and is constantly developing.
Currently, exploit kits are not as widespread as before. The researcher explains that in the past they mainly relied on the use of already closed vulnerabilities, however, newer and safer browsers with the automatic update function simply do not allow exploiting known vulnerabilities. Also in the past, hackers actively exploited various Adobe Flash problems, but now it is disabled by default in all browsers, for the most part it has been supplanted by open standards such as HTML5, WebGL and WebAssembly, and by the end of 2020 its support will be completely discontinued.
A decrease in the popularity of Adobe Flash is associated with a decrease in the number of exploit kits. However, they did not disappear completely, but adapted and switched to Internet Explorer users who did not install the latest security updates. Oddly enough, Internet Explorer is still a relatively popular browser. According to NetMarketShare, as of April 2020, Internet Explorer was used on 5.45% of desktop computers (for comparison: the share of Firefox – 7.25%, Safari – 3.94%, Edge – 7.76%).
As a result, exploit kits still play a significant role in the modern threat landscape and continue to evolve. After observing Magnitude for a year, Larin came to the following conclusions:
- Magnitude continues to supply ransomware to countries in the Asia-Pacific region (APR) through malicious advertising;
- in February of this year, the authors of Magnitude switched to using an exploit for the more recent vulnerability CVE-2019-1367 in Internet Explorer (originally discovered as a zero-day vulnerability);
- Magnitude uses a previously unknown exploit for elevating privileges for CVE-2018-8641, developed by a well-known author.
Like most existing exploit kits, in 2019 Magnitude used the vulnerability CVE-2018-8174 in the VBScript engine (Internet Explorer). However, the attackers behind Magnitude were among the first to switch to the more recent vulnerability CVE-2019-1367 and since February 11, 2020 have been using the exploit for it as the main one.
As in the case of CVE-2018-8174, hackers did not develop their own exploit for the CVE-2019-1367 vulnerability, but instead took the original zero-day exploit as a basis and modified it, adding their own shellcode and obfuscation.
The privilege escalation exploit used by Magnitude is also quite interesting. The specialist did not immediately recognize something known in him. So, he used the vulnerability in the win32k kernel driver, and a more thorough analysis showed that this particular vulnerability was fixed in December 2018. According to Microsoft, during this period only two vulnerabilities related to privilege escalation in win32k were fixed: CVE-2018-8639 and CVE-2018-8641.
Previously, Microsoft shared with experts more detailed information about the CVE-2018-8639 problem, so it was concluded that the detected exploit used the CVE-2018-8641 vulnerability.
It also turned out that the code for this exploit has significant similarities with another zero-day exploit, CVE-2019-0859. Based on this similarity, the researchers attribute the authorship of this exploit to a fairly prolific hacker known as Volodya, Volodimir, or BuggiCorp. He is famous for selling zero-day exploits to APT groups and individual criminals.
In the past, Volodya advertised its services on exploit (.) In, the same underground forum where the Magnitude exploit kit was once advertised. It is currently unknown whether the exploit for CVE-2018-8641 was used initially as a zero-day exploit or was developed as an exploit of the first day (by comparing the vulnerable and fixed versions). It is important to note that a public exploit for CVE-2018-8641 also exists, but it is incorrectly attributed to CVE-2018-8639 and exploits the vulnerability in a different way – that is, there are two completely different exploits for the same bug.
Magnitude still uses its own ransomware program as the final payload (apparently, we are talking about Magniber). The ransomware comes with a temporary encryption key and a list of domain names that attackers often change. Files are encrypted using Microsoft CryptoAPI, while hackers use Microsoft's advanced cryptographic provider for RSA and AES (PROV_RSA_AES). During the observation, the Malvari core did not undergo significant changes.
The researcher concludes that exploit kits are still active and pose a serious threat, switching to newer exploits for Internet Explorer. Therefore, experts remind about the need to install security updates in a timely manner, and also do not recommend using Internet Explorer as a browser.