Pierluigi Paganini November 08, 2019

A recently discovered exploit kit dubbed Capesand is being involved in live attacks despite the fact that it’s still under development.

In October 2019, researchers at TrendMicro discovered a new exploit kit dubbed Capesand that is being involved in live attacks. The tool was discovered while analyzing a malvertising campaign employing the RIG EK to deliver DarkRAT and njRAT. 

Experts pointed out that the code of the Capesand exploit kit is quite simple compared with other exploit kits.

Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE) and also a 2015 vulnerability for IE. Operators behind the new exploit kit are reusing source code from a publicly shared exploit kit code, experts noticed that the EK is still under development.

“In the middle of October, we found a malvertising campaign using the Rig exploit kit and delivering DarkRAT and njRAT malware. By the end of October, however, we noticed a change in the malvertisement and the redirection was no longer to the Rig exploit kit.” reads the analysis published by Trend Micro. “The cybercriminals shifted to loading an exploit kit we were unfamiliar with. Investigating further led us to a panel provided for this unknown exploit kit to customers. The panel has the name Capesand on it and directly provides the source code of the exploit kit.”

Trend Micro uncovered a malvertising campaign that was delivered from the ad network straight to the victim’s browser, it was appearing as a blog talking about blockchain. 

The analysis of the source code of the page revealed that its content was copied using the website copying tool HTTrack and contains a hidden iframe used to load the exploit kit.

The Capesand panel allows its operators to check the status of exploit kit usage and download frontend source code to deploy on their servers.

“In the case we identified, the campaign deployed it with their fake blockchain malvertisement. While we checked the frontend source code, we found that it looks similar to a very old exploit kit called Demon Hunter, leading us to believe that Capesand is probably derived from it.” continues the analysis.

The list of vulnerabilities exploited by the Capesand EK includes CVE-2018-4878 (Adobe Flash), along with CVE-2018-8174 and CVE-2019-0752 (Internet Explorer).

Another interesting aspect of the Capesand EK is that the exploits are not included in the frontend EK source code package. Experts discovered that Capesand delivers a specific exploit code by requesting it to a server API..

The API request includes the following information on the victims:

• Requested exploit name
• Exploit URL in configuration
• Victim’s IP address
• Victim’s browser user-agent
• Victim’s HTTP referrer

The information is AES encrypted with a pre-generated API key inside a configuration file.

Further investigation allowed the experts to discover a version of Capesand using exploits for the following vulnerabilities:

• CVE-2015-2419 (IE);
• CVE-2018-4878 and CVE-2018-15982 (Adobe Flash)
• CVE-2018-8174 (IE);

“But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code.” states Trend Micro. “This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use.”

Experts discovered that crooks are also distributing malicious landing pages via mirrored versions of legitimate websites and use domain names similar to the originals to avoid detection.

“Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’.” concludes the analysis.

“In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,”

Pierluigi Paganini

(SecurityAffairs – Capesand exploit kit, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]