The following table (from contagiodump ) keeps trace of most of the known exploit kits out there within relatives exploited vulnerabilities.
|Click to Enlarge, credits to Contagio Data|
As you might appreciate from the Sally’s work many vulnerabilities are covered by most of the exploit kits but not all, so depending on the administration console (which almost every EK gives to attackers) and, most important, on the target system, the attacker could choose between several EKs. While several exploits kits are available nowadays only a subset of them are mostly used. As described in this post from from MalwareBytes the most used EKs are represented in the following picture.
|Exploit Kits from MalwareBytes analysis.|
Now you would probably know how the EK infection process works, well a nice work made by TrendMicro explains in a simple view the 4 stage infection chain.
|4 stage EKs infection chain by TrendMicro|
Contact is the beginning of infection, where an attacker attempts to make people access the link of an exploit kit server. Contact is often done through spammed email, wherein recipients are tricked into clicking a link through social engineering lures.
Traffic redirection system refers to the capacity with which the exploit kit operator can screen through victims based on certain condition sets. This is done through a traffic direct system, such as SutraTDS or KeitaroTDS, for aggregating and filtering redirect traffic before accessing the exploit kit server.
Once users are successfully tricked into clicking the link of an exploit kit server in the contact stage and filtered in the redirect stage, they will be directed to the exploit kit’s landing page. The landing page is responsible for profiling client environment and in determining which vulnerabilities should be used in the ensuing attack.
According to TrendMicro research (except for SweetOrange) I do observe the following EK in almost the same score position in my current Cyber Attack detections
|Most used Exploit Kits|
As Malware does, ExploitKits are in continuous development conditions and day by day we observe different variants and improved evasion techniques as well as exploits integrations. Be aware that those kits made really simple (well, I didn’t say easy) Malware propagation so watch out your apps !