Talos is monitoring the major Exploit Kits(EK) on an ongoing basis. While investigating the changes we recently observed in the RIG EK campaigns, we identified another well known candidate: Terror Exploit Kit.
Terror EK is one of the new players who showed up after the big Exploit Kit market consolidation last year. When Angler and friends disappeared new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK which appeared end of last year. It started with a very simple version,carpet bombing the victims with many exploits at the same time, no matter if the exploit matched the victim’s browser environment or not. Unfortunately, they improved the kit step by step and we saw a fast evolution up to the latest version analysed in this report.
We identified a potentially compromised legitimate web site acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later.
This may indicate how these campaigns collaborate and share resources, or possibly one campaign pirating another. Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim’s environment and then picks potentially successful exploits depending on the victim’s operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.
It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.