A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.
Dubbed Capesand, the toolkit was discovered in October 2019, when a malvertising campaign employing the RIG EK to drop DarkRAT and njRAT switched to using it for delivery instead.
The new threat attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE), but also targets a 2015 vulnerability in the browser.
Capesand’s authors, the security researchers say, appear to be reusing source code from a publicly shared exploit kit code. In fact, almost all of the toolkit’s functions — this includes exploits, obfuscation, and packing techniques — reuse open-source code.
The malicious advertisements were delivered from the ad network straight to the victim’s browser, posing as a blog discussing blockchain. The page had been copied using the HTTrack website copying tool and contains a hidden iframe to load the exploit kit.
Analysis of the Capesand panel has revealed that it allows threat actors to check the status of exploit kit usage and download frontend source code to deploy on their servers. Code similarities suggest the new threat is derived from the old Demon Hunter EK.