Two newcomers in the exploit kit market

Exploit kits are a great means to an end for malware distributors, who either buy them or rent them in order to widely disseminate their malicious wares. It’s no wonder then that unscrupulous developers are always trying to enter the market currently cornered by Angler, Nuclear, FlashEK, Fiesta, SweetOrange, and others popular exploit kits.

This year we witnessed attempts from developers behind the Rig, Null Hole and Niteris exploit kits, as well as those who started Astrum and Archie.

The former has been first spotted in September by the researcher that goes by the handle Kafeine. It also piqued the interest of Finnish security firm F-Secure, as it hit a considerable number of Finnish users:

A new favorite with the Reveton gang, Astrum was initially equipped with exploits for several Flash, Silverlight, IE and Adobe Reader vulnerabilities. In mid October, an exploit for a newly discovered Flash flaw was also added (in the Angler and Nuclear exploit kits, as well).

It uses obfuscation techniques in its landing pages to hide code that detects analyst tools such as virtual machines, and Kaspersky’s security solution.

The development of the Archie exploit kit followed a natural progression of added on improvements.

Outfitted with exploit code copied from Metasploit modules, it first popped up in July when it targeted a single Flash flow. Less then a month later, it sported exploits for Silverlight and Internet Explorer, as well. Finally, in November, it received two new exploits for Flash and IE.

It’s earliest landing pages were easily spotted, but later URL patterns for the landing pages became more complex and less obviousl, and checks for antivirus and VMware files were added to the kit.

It has mostly been used to target US-based users with a “clicker” Trojan: a type of malware that hides in the affected system and tries to connect to specific websites, usually on a regular basis, in order to artificially boost the number of visitors.