A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.
Dubbed Capesand, the toolkit was discovered in October 2019, when a malvertising campaign employing the RIG EK to drop DarkRAT and njRAT switched to using it for delivery instead.
The new threat attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE), but also targets a 2015 vulnerability in the browser.
Capesand’s authors, the security researchers say, appear to be reusing source code from a publicly shared exploit kit code. In fact, almost all of the toolkit’s functions — this includes exploits, obfuscation, and packing techniques — reuse open-source code.
The malicious advertisements were delivered from the ad network straight to the victim’s browser, posing as a blog discussing blockchain. The page had been copied using the HTTrack website copying tool and contains a hidden iframe to load the exploit kit.