Posts in Exploit Kit Variants
Disdain

An exploit kit advertised on dark web hacking forums for rent on a daily, weekly, or monthly basis for $80, $500, and $1,400, respectively. It contains newer exploits to target Microsoft Internet Explorer, Adobe Flash Player, Mozilla Firefox, and Microsoft Edge.

Read More
Terror

Terror was first detected in early December 2016 by researchers at Trustwave and Malwarebytes. It is poorly assembled, hosting its landing pages and exploits on the same server. This exploit kit (EK) delivers all exploit packages to all users that visit the landing pages, a technique known as “carpet bombing,” instead of using filters to only target vulnerable users.

Read More
DNSChanger

DNSChanger EK, first discovered by researchers at Proofpoint, is used to take control and change the settings of small office and home routers. In 2015, DNSChanger used cross-site request forgery (CSRF) attacks to hijack routers. 

Read More
Stegano

Stegano Exploit Kit (EK), also referred to as "Astrum," was discovered by ESET researchers in October 2016 targeting users in Canada, Britain, Australia, Italy, and Spain, likely chosen based on the advertising networks the perpetrators could abuse.

Read More
RIG

RIG was discovered in 2014 and remains one of the most active exploits kits today. In February 2015, a security researcher from MalwareTech reported that an underground reseller leaked RIG’s source code after being banned from a hacker forum for trying to scam customers. 

Read More
Sundown

Sundown exploit kit (EK), also known as Beta, is not as sophisticated as other EKs and was not active in the first half of 2016 until reports spiked in early July, following the sudden drop-off in Angler and Nuclear EK activity.

Read More
Bizarro Sundown

Bizarro Sundown is a new exploit kit (EK) created based on the Sundown EK. Bizarro Sundown shares many of the same features as the Sundown EK, with the addition of anti-analysis capabilities. 

Read More
Exploit Kit VariantsNJCCIC
Floki Bot

The exploit kit Floki Bot was discovered in September 2016 being advertised for $1,000 on a hacker forum. According to the developer, Floki Bot was designed to be multipurpose and bypass antivirus protection.

Read More
Neutrino

Neutrino was discovered in 2012 and remains active, exploiting vulnerabilities in all Java versions at least up to Java 7 Update 11. Neutrino downloads a ransomware variant on the victim’s machine when it successfully finds a vulnerable target. It features a user-friendly control panel, continuously monitors the status of present antivirus software, filters network traffic, and encrypts stolen information before sending it back to the server.

Read More
Angler

Angler is one of the most sophisticated EKs used by cybercriminals today and was first observed in 2013. Angler uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player, Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware and point-of-sale (PoS) malware.

Read More
Blackhole

Blackhole became a very popular and preferred exploit kit tool from about 2010 until October of 2013 when its alleged creator, Paunch, was arrested in Russia. Since his arrest, Blackhole EK has sharply declined in use and popularity as its modules haven’t been updated with exploits targeting new vulnerabilities.

Read More
Fiesta

Fiesta was first released in 2008 and gained popularity with the decline of Blackhole EK. Fiesta was developed to deliver crypto-ransomware and fake antivirus malware payloads to its victims and exploits vulnerabilities in Flash, Internet Explorer, Adobe Acrobat Reader, and Microsoft Silverlight, and has the capability of terminating running processes and disabling common system tools to make detection and removal more difficult. Two-thirds of Fiesta-related traffic occurred in three countries: United States, Japan, and Australia.

Read More
Magnitude

Magnitude made itself known in October of 2013 when it breached the servers of PHP.net, a popular scripting language development website, and redirected the site’s visitors to its landing page using a compromised JavaScript file. It then exploited vulnerabilities in Java and Flash to deliver malicious payloads like Zeus, Andromeda, Necurs, Zusy, and Ngrbot. Magnitude was later used in an attack against Yahoo and WordPress website users.

Read More
Nuclear

Nuclear dates back to 2009 and remains one of the most widely used EKs. It exploits vulnerabilities in Active X, Flash, Internet Explorer, Java, PDF, and Silverlight, and disseminates malware and ransomware. Nuclear can detect if antivirus software is running and, if found, it terminates the associated process as well as antivirus driver files.

Read More
Sweet Orange

Sweet Orange emerged in 2012 to fill the void left behind by the Blackhole EK after its author was arrested and it quickly rose in popularity among cybercriminals. Sweet Orange contains many of the same features as other variants, including a database that records a list of successful infections, statistics about various current exploits, and regular malware updating.

Read More