Terror was first detected in early December 2016 by researchers at Trustwave and Malwarebytes. It is poorly assembled, hosting its landing pages and exploits on the same server. This exploit kit (EK) delivers all exploit packages to all users that visit the landing pages, a technique known as “carpet bombing,” instead of using filters to only target vulnerable users.
DNSChanger EK, first discovered by researchers at Proofpoint, is used to take control and change the settings of small office and home routers. In 2015, DNSChanger used cross-site request forgery (CSRF) attacks to hijack routers.
Stegano Exploit Kit (EK), also referred to as "Astrum," was discovered by ESET researchers in October 2016 targeting users in Canada, Britain, Australia, Italy, and Spain, likely chosen based on the advertising networks the perpetrators could abuse.
RIG was discovered in 2014 and remains one of the most active exploits kits today. In February 2015, a security researcher from MalwareTech reported that an underground reseller leaked RIG’s source code after being banned from a hacker forum for trying to scam customers.
Bizarro Sundown is a new exploit kit (EK) created based on the Sundown EK. Bizarro Sundown shares many of the same features as the Sundown EK, with the addition of anti-analysis capabilities.
Neutrino was discovered in 2012 and remains active, exploiting vulnerabilities in all Java versions at least up to Java 7 Update 11. Neutrino downloads a ransomware variant on the victim’s machine when it successfully finds a vulnerable target. It features a user-friendly control panel, continuously monitors the status of present antivirus software, filters network traffic, and encrypts stolen information before sending it back to the server.
Angler is one of the most sophisticated EKs used by cybercriminals today and was first observed in 2013. Angler uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player, Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware and point-of-sale (PoS) malware.
Blackhole became a very popular and preferred exploit kit tool from about 2010 until October of 2013 when its alleged creator, Paunch, was arrested in Russia. Since his arrest, Blackhole EK has sharply declined in use and popularity as its modules haven’t been updated with exploits targeting new vulnerabilities.
Fiesta was first released in 2008 and gained popularity with the decline of Blackhole EK. Fiesta was developed to deliver crypto-ransomware and fake antivirus malware payloads to its victims and exploits vulnerabilities in Flash, Internet Explorer, Adobe Acrobat Reader, and Microsoft Silverlight, and has the capability of terminating running processes and disabling common system tools to make detection and removal more difficult. Two-thirds of Fiesta-related traffic occurred in three countries: United States, Japan, and Australia.
Nuclear dates back to 2009 and remains one of the most widely used EKs. It exploits vulnerabilities in Active X, Flash, Internet Explorer, Java, PDF, and Silverlight, and disseminates malware and ransomware. Nuclear can detect if antivirus software is running and, if found, it terminates the associated process as well as antivirus driver files.
Sweet Orange emerged in 2012 to fill the void left behind by the Blackhole EK after its author was arrested and it quickly rose in popularity among cybercriminals. Sweet Orange contains many of the same features as other variants, including a database that records a list of successful infections, statistics about various current exploits, and regular malware updating.