Security Operation Center (SOC) analysts investigate alerts on suspicious network activity. However, these analysts might not run across exploit kit (EK) traffic that often. An organizations web gateway can stop a great deal of bad traffic before you see a full infection chain. Investigating other types of suspicious activity will likely take up the majority of an analysts workday.

Some of us are lucky enough to review EK traffic on a routine basis. What that in mind, I want to share examples of the most common exploit kits Ive noticed so far this year.

In order, the EK traffic Ive seen most often in 2015 has been:

  • Angler
  • Fiesta
  • Nuclear
  • Neutrino
  • Magnitude
  • Rig

This isnt a comprehensive list. Other exploit kits are out there, but these are most common that Ive seen this year. I dont have any hard numbers, and the last four (Nuclear, Neutrino, Magnitude, and Rig) are more of an educated guess for the ranking. The EK scene can evolve fairly quick. The list will likely change within a few months, and my observations are only one persons view.

Angler EK

Angler is the most common exploit kit I run across. Its also the most advanced. Angler changes URL patterns frequently, and these changes have recently happened on a near-daily basis. Angler started using fileless infection techniques in 2014 [1], and it now sends its payload in a fairly sophisticated encrypted manner (meaning it doesnt use a straight-forward ASCII string to XOR the payload when its sent over HTTP). In recent months, Ive had a hard time obtaining the payload from Angler EK. In the example for this diary, I wasnt able to obtain or decrypt the payload.

Previously, Ive seen Angler sending some form of ransomware like the TeslaCrypt/Alpha Crypt variants [2] or CrytoWall 3.0 [3]. In the past few days, I" />
Shown above: Angler EK traffic and post-infection activity on Wednesday 2015-06-03.

Fiesta EK

Fiesta is probably the next-most common exploit kit Ive run across, most of it related to the BizCN actor that I described in a previous diary [4]. Other actors certainly use this exploit kit. Like Angler EK, Fiesta also uses a more sophisticated type of encryption when sending the malware payload.">Shown above: Fiesta EK traffic on Wednesday 2015-06-03.

Magnitude EK

Magnitude EK often sends several payloads, sometimes 6 or more. Its a very noisy exploit kit. Ill often see CryptoWall 3.0 as one of the payloads. In the example for this diary, Magnitude only sent one payload, and that was CryptoWall 3.0. Ive usually seen Magnitude EK send the malware payloads unencrypted, at least when using IE 8 as a web browser in the vulnerable host. I don">Shown above: Magnitude EK traffic and post-infection activity on Wednesday 2015-06-03.

Neutrino EK

In 2014, this exploit kit disappeared for about six months then came back in a much different form [5]. Traffic patterns have remained relatively unchanged since it reappeared in late 2014. Neutrino EK uses a more sophisticated style of encryption when sending the malware payload (not merely a straight-forward XOR using an ASCII string).

Neutrino however, Sweet Orange seems to have disappeared from the scene back in February of 2015. I havent found any Sweet Orange after February, but Ive seen plenty of Neutrino since then. If you see recent traffic you think is Sweet Orange, double check it. Its probably Neutrino EK.

Neutrino has been relatively consistent over the past few months. Havent seen a lot of it, but it">Shown above: Neutrino EK traffic on Wednesday 2015-06-03.

Nuclear EK

Last year, this exploit kit seemed much more common than it is today. Operation Windigo still uses Nuclear EK [6], but in recent weeks, Ive rarely seen Nuclear outside of that.">Shown above: Nuclear EK traffic and post-infection activity associated with Operation Windigo on Wednesday 2015-06-03.

Rig EK

When Rig first appeared in 2014, it looked remarkably similar to Infinity EK [7] (which was first identified as Goon EK). Rig EK apparently borrowed a great deal from Infinity. While I havent seen Infinity this year, Ive definitely run across Rig every once in a while.

In April 2015, Rig EK changed the encryption it uses for sending the malware payload.">Shown above: Rig EK traffic on Wednesday 2015-06-03.

Final words

As mentioned earlier, this is merely one persons view into the current state of exploit kits. Its not comprehensive, and there are other exploit kits I dont have visibility on. Heres a list of pcap files from the previous paragraphs:

Ive also collected the exploits and malware payloads where I could. A zip file with this collection is available at:

The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
[2] https://isc.sans.edu/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681
[3] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[4] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
[5] https://isc.sans.edu/diary/Exploit+Kit+Evolution+Neutrino/19283
[6] http://www.rackspace.com/blog/in-2015-operation-windigo-is-still-going-strong/
[7] http://www.kahusecurity.com/2014/rig-exploit-pack/
[8] http://malware-traffic-analysis.net/2015/05/06/index2.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Infosec 2015: White-hat hackers "lack awareness of key computing aspects"
Speaking at a keynote presentation at the Infosec show in London, Lyne said that as cyber attacks became more nuanced and complex, security researchers and pen testers would have to broaden and deepen their knowledge of computing principles. Lyne ...
White hats need to know how computers work, not just how they're hackedV3.co.uk

all 5 news articles »
ESA-2015-091: RSA® Web Threat Detection Cross-Site Request Forgery Vulnerability

SoureForge has sworn off its ways of wrapping "unmaintained" code from open source projects in installers that offer bundled commercial products in the wake of objections raised by some open source communities. But one policy remains in effect—the takeover of project pages SourceForge's staff decides are inactive, and assignment of ownership of those projects to staff accounts. One of the latest projects grabbed in this way is the Nmap security auditing tool.

The practice of reassigning ownership was broadly exposed by SourceForge's takeover of the project page for the Windows version of the GIMP image manipulation tool. While SourceForge staff claimed in a blog post that the project's account had been abandoned, an official statement from the GIMP development team denied that SourceForge had contacted them about the account, saying that no permission had been given to SourceForge to take over maintenance of the project.

Something similar happened to Nmap, as its developer Gordon Lyon reported in an e-mail message to the project's mailing list today. "The bad news is that Sourceforge has also hijacked the Nmap account from me," Lyon, known as "Fyodor" in Internet discussions, wrote. "The old Nmap project page is now blank. Meanwhile they have moved all the Nmap content to their new page which only they control. So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP. But we certainly don't trust them one bit! "

Read 8 remaining paragraphs | Comments



Infosec 2015: Schneier warns we're in “cyber arms race”
Bruce Schneier warned the IT industry that it would be in the “blast radius” of an oncoming cyber war. In a packed keynote speech at the Infosec show in London, Schneier - a well-known security expert who is currently chief technology officer of ...
Bruce Schneier: Sony hack proves firms ill-prepared for cyber warV3.co.uk

all 4 news articles »


Infosec 2015: White-hat hackers need to learn computing basics
Security professionals will need to have a greater understanding of computers at a deeper, more fundamental level if they want to defend against cyber attacks, claimed James Lyne, global head of research at Sophos. Speaking at a keynote presentation at ...
White hats need to know how computers work, not just how they're hackedV3.co.uk

all 5 news articles »


Security roundup: Infosec kicks off, females 'more aware' of cyber threats ...
The research showed that 90 per cent of large businesses and 74 per cent of SMBs had experienced an information security breach in the last 12 months. At Infosec Recorded Future revealed that it identified recent employee credential exposures for at ...
Infosec 2015: More UK businesses than ever face data breaches as costs spiralIT PRO
PwC: Almost all large companies suffered a data breach last yearSC Magazine UK

all 46 news articles »
Local PHP File Inclusion in ResourceSpace
Safari Address Spoofing - Impact, Code, How It Works, History
[SECURITY] [DSA 3249-2] jqueryui security update
Jildi FTP Client 1.5.2 b1138 - Buffer Overflow Vulnerability

SSCC 201 - The Infosec edition [PODCAST]
Naked Security
SSCC 201 - The Infosec edition [PODCAST]. Sorry, something happened and we could not sign you up. Please come back later and try again. Congratulations, you have successfully signed up for our daily news! Check your inbox for our confirmation email.

Internet Storm Center Infocon Status