New, Poorly-Made Terror Exploit Kit Drops Monero Cryptocurrency Miner

Share this…

Security researchers from Trustwave and Malwarebytes have come across a new, poorly assembled exploit kit that appears to be the work of a one-man crew.

Named Terror EK, this exploit kit was first detected at the start of December. From the get-go, Terror got Trustwave’s attention due to the generally poor quality of how the exploit kit had been deployed.

Terror EK author appears to have no experience with exploit kits

Unlike almost all other exploit kits, Terror hosted its landing pages and its exploits on the same server, a big no-no in terms of exploit kit operation security.

Furthermore, Terror used an ancient technique known as “carpet bombing” by delivering all exploit packages to all users arriving on the landing pages. This delivery method is considered deprecated, and all exploit kit use filters to select only vulnerable users before deploying exploits.

According to Trustwave, this initial version of Terror used eight different exploits, delivered to all users at the same time from the same page:

  • CVE-2014-6332 – Internet Explorer
  • CVE-2016-0189 – Internet Explorer
  • CVE-2015-5119 – Adobe Flash
  • CVE-2015-5122 – Adobe Flash
  • CVE-2013-1670/CVE-2013-1710 – Firefox
  • CVE-2014-1510/CVE-2014-1511 – Firefox
  • CVE-2014-8636 – Firefox
  • CVE-2015-4495 – Firefox

These initial attacks didn’t last long, and towards the end of December, researchers said this initial Terror EK installation was pulled down, as the crook switched to the Sundown EK, which they ran for about a week.

After this week, the crook changed back to the Terror EK once more, but to a new version, one that copied several exploits from the Sundown EK, presumbly after testing them first-hand.

In fact, many security researchers mistook Terror for Sundown, due to how much of Sundown’s code the Terror author had copied.

View image on Twitter

View image on Twitter

In line with the crook’s general lack of knowledge for exploit kit deployments, he forgot to obfuscate (mask) his payloads, revealing to security researchers his current exploits, which were:

  • CVE-2013-2551 – Internet Explorer
  • CVE-2014-6332 – Internet Explorer
  • CVE-2015-7645 – Adobe Flash
  • CVE-2016-4117 – Adobe Flash

During all this switching around, despite the different exploits used to infect victims, the final malware payload was the same, which was a miner for the Monero cryptocurrency.

Again, showing the malware author’s lack of awareness for proper operational security (OpSec) techniques, the crook hosted the configurations for his cryptocurrency mining operation on GitHub and Pastebin, where security researchers could easily take them down. A second good news is that this cryptocurrency miner only works on 64-bit systems.

“After tracking this kit for over a month, we strongly suspect that this is a one-man operation,” said Simon Kenin of Trustwave. “Crypto mining is not that profitable, however for a one-man operation this is a good solution. Once the host is infected and as long as it keeps running the miner, you profit. No hassle whatsoever.”