Magnitude Exploit Kit: A peek into one of the Web’s most famous cybercrime kits
- In October 2013, Magnitude made headlines for being used in an attack to compromise PHP.net servers.
- Over the past years, the exploit kit has been found delivering a variety of ransomware such as Cerber, CryptoLocker, and GandCrab in various attack campaigns.
Exploit kits are one of the most commonly used tools used by cybercriminals. They have become one of the primary methods today for distributing malware and infecting users all around the world.
While one part of the kit targets vulnerable software, the other half enables the attackers to infect the recently compromised systems with malware. One such notorious exploit kit that is highly used by cybercriminals is the Magnitude exploit kit.
The discovery of the Magnitude EK - The infamous Magnitude exploit kit was first discovered in 2013, following the downfall of the Blackhole exploit kit.
The Blackhole exploit kit was actively used by cybercriminals since its inception in 2010. It was active for nearly three years. But after the arrest of its author in October 2013, criminals were on a lookout for a new kit and the Magnitude a.k.a PopAds seemed to fit the bill.
In 2014, Magnitude gained additional public attention for its use in the advertising attack on Yahoo. Criminals purchased ad space on Yahoo and used the ads to redirect visitors to domains hosting the Magnitude landing page.
Over the past years, the exploit kit has been found delivering a variety of ransomware such as Cerber, CryptoLocker and GandCrab in various attack campaigns.
Obfuscation capabilities - According to a report from Trustwave, the Magnitude author abuses the static analysis technology of anti-virus to evade detection.
“Just like security products, the Magnitude exploit kit operates on several layers. Most security products use the domain/URL as part of their detection logic, and so Magnitude provides its customers with the ability to load a set of domains that are constantly checked. Magnitude uses the Scan4you anti-virus detection service to scan IP/domains as well as files to make sure commercial anti-virus products cannot detect it,” explained Trustwave researchers.
Other capabilities - Cybercriminals use Magnitude exploit kit for:
- Redirecting traffic to the Gateway Servers: This option allows filtering of traffics based on several pre-defined filters such as geo-location, HTTP referrers, language etc. Traffic that passes the gateway filters is redirected to the Magnitude MD server to be exploited.
- Redirect traffic directly to Magnitude MD server: This option is the most compelling for cybercriminals who prefer filtering their traffic by some third-party solution such as TDS servers and then redirect it directly to MD server.
Researchers claim that Magnitude EK will continue to evolve in the coming years. A majority of change will be seen in the obfuscation techniques used by the kit.