Modus operandi of a typical browser exploit kit On the other hand, the money spent is the cost of ads, infrastructure (renting servers, registering domain names etc.), and the time the attacker spends on developing and maintaining the exploit kit. In this scenario, the money “earned” could be the ransom or mining rewards. ransomware or a coinminer) is deployed to the victim. If the exploitation succeeds, a malicious payload (e.g.
This code can then further profile the victim’s browser environment and select a suitable exploit for that environment. These ads contain JavaScript code that is automatically executed, even when the victim doesn’t interact with the ad in any way (sometimes referred to as drive-by attacks). They buy ads targeted to users who are likely to be vulnerable to their exploits (e.g. To achieve this goal, most modern exploit kits follow a simple formula. Their end goal in developing and maintaining an exploit kit is to make a profit: they just simply want to maximize the difference between money “earned” and money spent. To understand why exploit kit developers might have wanted to test Chromium exploits, let’s first look at things from their perspective. And since we don’t get to see a new Chromium exploit chain in the wild every day, we will also dissect Magnitude’s exploits and share some detailed technical information about them. In this blog post, we would like to offer some thoughts into why that could be the case and why the attackers might have even wanted to develop these exploits in the first place. This is some very good news because it suggests that the Chromium exploit chains were not as successful as the attackers hoped they would be and that it is not currently very profitable for exploit kit developers to target Chromium users.
According to our telemetry, less than 20% of Underminer’s exploitation attempts are targeting Chromium-based browsers. And while Underminer still continues to use these exploits today, its traditional IE exploit chains are doing much better. What’s more, Magnitude seems to have abandoned the Chromium exploit chain. We were waiting for other exploit kits to jump on the bandwagon, but none other did, as far as we can tell. We’ve been monitoring the exploit kit landscape very closely since our discoveries, watching out for any new developments. This is an interesting development since most exploit kits are currently targeting exclusively Internet Explorer, with Chromium staying out of their reach.- Avast Threat Labs October 19, 2021Ībout a month later, we found that the Underminer exploit kit followed suit and developed an exploit for the same Chromium vulnerability. #MagnitudeEK is now stepping up its game by using CVE-2021-21224 and CVE-2021-31956 to exploit Chromium-based browsers.