7 November 2019

New Capesand EK takes advantage of recently discovered Adobe Flash and IE flaws

New Capesand EK takes advantage of recently discovered Adobe Flash and IE flaws

Trend Micro researchers have discovered a new exploit kit named Capesand that attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). The Capesand exploit pack was observed during a malvertising campaign in October aimed at distributing the DarkRAT and njRAT trojans. Initially, the campaign operators relied on the Rig exploit kit to deliver the exploits, but by the end of October have switched to Capesand. While the latter appears to be still in development phase, it is being used extensively, the researchers say.

The observed malvertising campaign presented users with a fake blog post discussing blockchain. The page, which attackers had actually copied using the HTTrack website copying tool, contained a hidden iframe that loaded the RIG exploit kit that exploited known vulnerabilities in software to distribute samples of DarkRAT and njRAT malware. However, over the next few weeks the iframe changed to load landing.php, which led to discovery of an unknown exploit kit hosted on the same server.

According to Trend Micro, the Capesand kit is a relatively simple one that uses freely available open-source code. Kit’s obfuscation and packing techniques are also based on known tools and methods. The analysis of the Capesand web panel source code showed the similarities to the old exploit pack called Demon Hunter, suggesting that the Capesand kit is derived from it. The current version of Capesand targets the following vulnerabilities:

CVE-2018-4878 (Adobe Flash)

CVE-2018-15982 (Adobe Flash)

CVE-2018-8174 (Microsoft Internet Explorer)

CVE-2019-0752 (Microsoft Internet Explorer)

CVE-2015-2419 (Microsoft Internet Explorer)

While the CVE-2019-0752 is mentioned in the source code, it is not implemented yet, suggesting that the kit is still being under development and its creators have yet fully implement the exploits they intend to use. The researchers discovered that the kit’s source code doesn’t include actual exploits as it often the case with other EKs, but rather sends a request to the API of the Capesand server to receive the requested exploit payload each time it needs to deliver an exploit.

Once the target system is compromised, Capesand downloads an additional payload attempting to exploit CVE-2018-8120 (privilege escalation). During this process, one of the Capesand’s modules is checking for the presence of ESET security products in a bid to avoid detection and analysis.

“The Capesand exploit kit is being actively developed and is being used for compromising users even during its development stage. Although it is using known vulnerabilities, its creators ensure that the deployed samples have very low detection rates.”

“Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’. In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,” the researchers said.

More technical details and Indicators of Compromise (IoCs) related to this threat are available in Trend Micro’s blog post.

 

 

 

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019