Trend Micro researchers have discovered a new exploit kit named Capesand that attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). The Capesand exploit pack was observed during a malvertising campaign in October aimed at distributing the DarkRAT and njRAT trojans. Initially, the campaign operators relied on the Rig exploit kit to deliver the exploits, but by the end of October have switched to Capesand. While the latter appears to be still in development phase, it is being used extensively, the researchers say.
The observed malvertising campaign presented users with a fake blog post discussing blockchain. The page, which attackers had actually copied using the HTTrack website copying tool, contained a hidden iframe that loaded the RIG exploit kit that exploited known vulnerabilities in software to distribute samples of DarkRAT and njRAT malware. However, over the next few weeks the iframe changed to load landing.php, which led to discovery of an unknown exploit kit hosted on the same server.
According to Trend Micro, the Capesand kit is a relatively simple one that uses freely available open-source code. Kit’s obfuscation and packing techniques are also based on known tools and methods. The analysis of the Capesand web panel source code showed the similarities to the old exploit pack called Demon Hunter, suggesting that the Capesand kit is derived from it. The current version of Capesand targets the following vulnerabilities:
While the CVE-2019-0752 is mentioned in the source code, it is not implemented yet, suggesting that the kit is still being under development and its creators have yet fully implement the exploits they intend to use. The researchers discovered that the kit’s source code doesn’t include actual exploits as it often the case with other EKs, but rather sends a request to the API of the Capesand server to receive the requested exploit payload each time it needs to deliver an exploit.
Once the target system is compromised, Capesand downloads an additional payload attempting to exploit CVE-2018-8120 (privilege escalation). During this process, one of the Capesand’s modules is checking for the presence of ESET security products in a bid to avoid detection and analysis.
“The Capesand exploit kit is being actively developed and is being used for compromising users even during its development stage. Although it is using known vulnerabilities, its creators ensure that the deployed samples have very low detection rates.”
“Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’. In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,” the researchers said.
More technical details and Indicators of Compromise (IoCs) related to this threat are available in Trend Micro’s blog post.