Exploit kit traffic drops by 96% since April, what is happening?

Pierluigi Paganini June 21, 2016

The exploit kit landscape is rapidly changing,the Angler and Nuclear EK disappeared and overall malicious traffic drops by 96% since April.

As highlighted by security experts the threat landscape is in continuous evolution, despite the criminal underground was monopolized by Angler and Nuclear exploit kits for several years other EKs represent a serious threat to online users.

Malicious traffic related to Neutrino and RIG EKs demonstrates the high interest in these crime kits of malware authors. The interesting data that emerges from the observation of exploit kit traffic is its drastic fall, around 96% since early April.

What is happening?

The Necurs botnet, one of the world’s largest malicious architecture used to spread the dreaded threats like Dridex and Locky appears to have vanished since June 1.

The Angler and Nuclear exploit kits seem to be disappeared too, likely due to the hits of the law enforcement to the malware industry. Do not rejoice, I believe that this transitionary moment in which the principal criminal rings are searching for new structures.

The Nuclear EK, the oldest EK in the wild, was observed for the last time at the end of April, but security experts have no specific information regarding the suspension of its activities.

In April 2015, the experts from Check Point published an interesting report on the Nuclear EK and the infrastructure used by its operators, a money machine that was operated by a group of Russian developers led by an individual in Krasnodar, Russia.

What about the Nuclear EK?

According to the experts from Symantec, there is no evidence of the Nuclear’s activity since the first week of May.

“Angler’s disappearance has also prompted a falloff in activity in CryptXXX ransomware (Trojan.Cryptolocker.AN). Angler was one of the main delivery channels for CryptXXX.” reported the analysis published by Symantec. “Angler is not the only exploit kit to recently depart the scene. The well-known Nuclear exploit kit became inactive from the beginning of May. Since this occurred one month earlier, it is unclear if there is any connection with more recent developments.”

Nuclear EK activity Symantec


What’s interesting to note, however, is that a graph published by Proofpoint late last week suggests that Nuclear was still active during the second half of May.

The Angler’s disappearance might be caused by law enforcement activities, including the recent 50 arrests in Russia that were linked to the operations of the Lurk malware.

We read about Angler since June, the most recent news is related to the inclusion of the recent Flash zero-days and improvement of evasion techniques.

According to the experts from Proofpoint, the disappearance of Angler and Nuclear EKs, pushed the adoption of the Neutrino and RIG exploit kits.

“Interestingly, the shift to Neutrino was well underway by the time it was first reported, with Angler traffic dropping off dramatically as early as mid-May, and Nuclear EK affected as well. Angler and Nuclear EK activity has dropped to almost nothing as threat actors moved to instances of the Neutrino exploit kit. Shifting from one exploit kit to another is nothing new and threat actors may even use more than one regularly. However, with the exception of a brief break in January [8], Angler has dominated the EK market for some time, as we explained in the  Threat Summary for January-March,” states the report published by ProofPoint.

exploit kit trends


“By our estimates, Neutrino dropping CryptXXX account for as much as 75% of observed exploit kit traffic, and another 10% combined from Neutrino and Magnitude dropping Cerber ransomware. Most of the remaining 15% of EK traffic is RIG dropping a variety of payloads (banking Trojan, info stealers, loaders) on lower-value malvertising traffic, with various smaller EKs such as Sundown, Kaixin, Hunter and others making up the last 1% of total observed EK traffic,” continues Proofpoint.

Experts from Kaspersky Lab confirmed the above trends highlighting that criminal groups switched to Neutrino and RIG exploit kits.

What will happen in the future?

It is very difficult to say, anyway, cyber criminals have only changed their weapons but they will continue undeterred their illegal activities.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs – (Exploit Kit, Angler EK, Nuclear EK)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment