The Terror Exploit Kit is rapidly evolving, no longer bombarding victims with multiple exploits in scattershot fashion, but rather applying only the hacking tools that work best against a specific compromised machine, according to research from Cisco's Talos threat intelligence team.
Talos researchers observed the change in the kit's tactics after spotting a potentially compromised legitimate website that initially redirected visitors to a RIG EK landing page, before switching to a Terror EK land page one day later. This particular campaign, which infected victims with the Terdot.A/Zloader malware downloader, uncovered changes to the EK's repertoire and tactics.
"[Terror] has added further exploits and no longer carpet bombs the victim," Talos stated in a blog post published on Thursday. "Instead, it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version, and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have."
Leveraging the Microsoft Internet Explorer 6-10 vulnerability CVE-2013-2551 – a use-after-free condition that can be leveraged by a specially crafted web page to remotely execute code – the exploit page uses obfuscated Javascript code to probe a victim's machine and learn more about its environment, Talos reports. This includes version information about browser plug-ins for ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, and other programs.
Based on what it discovers, the malicious site delivers relevant exploits that will capitalize on the affected computer's vulnerabilities.
"We have seen that the exploit kit market is experiencing an ongoing change," the blog post states. "Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving they quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools."
