#cybersecurity | hacker | Capesand EK attacking IE, Flash vulnerabilities

The new Capesand
exploit kit, possibly derived from an older EK, has been found being used to
take advantage of Internet Explorer and Adobe Flash vulnerabilities.

Trend Micro’s Elliot Cao, Joseph C. Chen and William Gamazo Sanchez came across Capesand while tracking a campaign that was using the Rig EK to DarkRAT and njRAT malware. During this process the trio saw the malicious actors had switched from Rig to a new and unfamiliar type. Further digging found the EK’s control panel, one with the name Capesand and they realized it was directly providing the source code for the EK.

Capesand exploit kit’s code is quite simple compared with other kits. Almost
all of Capesand‘s functions reuse open-source code, including the exploits,
obfuscation, and packing techniques. Further monitoring revealed that its users
are actively using it despite its seemingly unfinished state, the researchers

One clue
leading the investigators to believe Capesand is derivative in some way was its
source code which was found to have many similarities with an older EK named
Demon Hunter. The updated Demon Hunter source code can exploit newer
vulnerabilities, including, but not limited to, the Adobe Flash flaw CVE-2018-4878
and CVE-2018-8174 and CVE-2019-0752 affecting Microsoft Internet Explorer

The EK is
deployed through a malvertisement fronted by a blog written about blockchain.
Once the victim clicks on the ad Capesand sends a request to the API of the its
server and requests the exploit payload. The request asks for the exploit name,
exploit URL in configuration, the victim’s IP address and browser user-agent.

successful exploitation via Capesand, the first stage will download mess.exe
and attempt to exploit CVE-2018-8120 to escalate privileges and then execute
njcrypt.exe. The njcrypt binary is a multilayer obfuscated .NET application
where the obfuscation is done using publicly known tools,” the report stated.

researchers believe Capesand is still being developed and is evolving in a
direction that may allow it to distribute malicious landing pages through
mirrored versions of the legitimate site by using typosquatting.

Original Source link

Leave a Reply