What Are Exploit Kits?

Exploit kits are a type of all-inclusive, automated, and rapidly deployable threat. These threats often target vulnerabilities in popular browser applications and compromised websites to achieve as wide a reach as possible. Because they are automated, they are a simple and attractive way to distribute large amounts of malware, which makes them a powerful tool in any attacker’s arsenal. Recently though, they’ve been used less often, thanks to better application security practices and the fall of Adobe Flash.

Hot Deals on Exploit Kits on the Dark Web

Because they include everything an attacker needs to pull off forceful cyber attacks (the “all-in-one” concept), exploit kits make an ideal choice for newbie attackers without a whole lot of experience. In fact, kits usually come with user-friendly management consoles that provide insights into how campaigns are performing, countries that have been targeted, and the operating systems and web browsers being affected. They also provide users with a choice of payloads, ranging from botnets to ransomware to malware exploits.

Not only are exploit kits a turn-key solution for deploying damaging attacks, they are also easy to get ahold of. To get started, all an aspiring attacker has to do is find one of the many malware marketplaces that sell exploit kits on the dark web. Then, for as little as $80 a day, an attacker can rent the rights to distribute and profit from a range of threats, including infamous kits such as Angler and RIG.

Unfortunately, this crimeware-as-a-service model is being used more and more frequently, allowing inexperienced attackers to scale their operations faster than ever before. This means that attackers are able to charge less for their services, have a greater ability to scale, and don’t need to build their own infrastructure. This service-based model has created a subeconomy where anyone can become an attacker, no matter their level of technical prowess.

How Exploit Kits Work

Despite all this, exploit kits are not always successful, sometimes failing to infect users. Let’s take a look at how exploit kits work in order to understand why this is the case.

Exploit kits compromise users in five stages:

  1. The attacker chooses a website to infect. This choice is often based on how much traffic the site gets. In more targeted exploit-kit attacks, it may also be based on the type of users who typically visit certain sites. This is called a watering-hole attack, and we’ll discuss it in greater depth below.
  2. The victim lands on the compromised website or clicks on a link in an email that takes them to the infected website.
  3. The exploit kit scans the user’s browser, operating system and installed software to determine if any of them meet the attack “requirements.” For example, the user should be located in the target attack area and should have the right set of vulnerabilities. If the browser, operating system and software in question are properly patched, they typically cannot fall victim to the malware.
  4. If the   fits the victim profile, the user will be redirected to the exploit kit’s landing page, where the kit decides which vulnerability to compromise. This is why some attacks are successful and others aren’t—the device must meet the right requirements to fall victim.
  5. The kit then delivers the malware payload.

Zero-Day Exploit Kits

There’s one catch to the “patch everything and you’ll be protected” idea: Exploit kit creators are quick to implement yet-unknown, zero-day vulnerabilites into their kits to ensure they successfully infiltrate as many devices as possible. This makes them an even more formidable threat.

The Evolution of Exploit Kits

The Beginning

Exploit kits were first noted by researchers in 2006. WebAttacker, which sold for as little as $20, and MPack, which came out of Russia, were two of the most notable. Then came Neosploit, which provided in-depth data analysis tools to track operations. While the actual malware delivered in these attacks was quite similar to other variants of the time, the all-in-one concept (described above) was completely new. The variants that followed were more or less similar in method, though they delivered different malicious payloads.

One of the most sophisticated and devastating exploit kits was Angler, which was first noted in 2013. It took advantage of vulnerabilities in Adobe Flash, Microsoft Silverlight, Java, and ActiveX—which were running on popular news and entertainment websites—to distribute ransomware variants including TeslaCrypt and HydraCrypt. Angler became the No. 1 deployed exploit kit by 2015, responsible for a full 80% of exploit-kit infections. Ultimately, it infected more than 90,000 websites, netting a profit of over $25 million for its creators. Thankfully, it dropped off the radar in 2016.

The (Brief) Decline

Exploit kits continued to be big business until 2017, when they began to decline in popularity. But what caused their fall from grace?

Until then, attackers had been using vulnerabilities in infamously buggy applications—chief among them Java and Flash—to launch their attacks. However, Java vulnerabilities began to drop in 2013, which prompted attackers to rely more heavily on Adobe Flash. Then, in 2017, Adobe announced that it would phase out Flash by 2020. Many websites stopped using it, which limited the surface from which attackers could launch their exploits. Not long after this, crypto-mining attacks overtook exploit-kit usage, as they are just as profitable and are still relatively simple to execute.

This appeared to be the end for exploit kits. But, in truth, the model never died—it was merely rearming. In mid-2018, some new variants began to appear, including Greenflash Sundown. Greenflash Sundown distributes Seon ransomware and a cryptominer, and uses an array of interesting code obfuscation methods to avoid detection. Also, the redirection method is placed inside fake GIF images.

Fallout is another newcomer. First spotted in late 2018, it has been used to deliver numerous ransomware variants, including GandCrab, Minotaur, and Kraken. Another fresh face on the exploit-kit scene is the Lord EK, a malvertising campaign that’s rather typical as far as exploit kits go, but that has a few interesting features. For example, it can create custom hostnames to craft unique URLs and delivers the Eris ransomware variant.

Other Notable Exploit Kits

Taking over where Angler left off in 2016, RIG uses many methods to obfuscate its attacks. According to Talos Security, it has been caught “dynamically changing encoding and encryption for all files transmitted.” RIG is still quite active and was recently spotted distributing Purple Fox, a fileless crypto-mining malware.

Also notable is Blackhole, one of the most prolific security threats in the early days of exploit kits. Blackhole tracked its victims so attackers could keep tabs on their device-usage habits. It also came with an optional crypting service that prevented antimalware tools from detecting it. Eventually Blackhole’s creator, Dmitry Fedotov, was caught and sentenced to seven years in a Russian prison.

What About Watering-Hole Exploit Kits?

Most exploit kits are not targeted. But there are some exceptions, called watering-hole attacks. This name comes from the watering holes found in nature, where water-dwelling animals, such as alligators, wait in stealth just below the surface for unwitting prey to enter.

In the tech world, attackers use this method when they want to compromise a particular group of users, infecting a website those users are likely to visit. For example, the LightsOut watering-hole exploit kit specifically targeted the energy sector by parking itself on the website of a law firm that dealt with such clients. Attacks such as these are relatively rare, but can be highly potent.

Cynet’s Exploit-Kit Protection

Though they aren’t the force they once were, as we’ve seen, exploit kits are still very much alive and kicking. Attackers are always ready to pivot between effective attack methods, and exploit kits are threats your organization needs to be prepared for. Cynet 360 uses a multilayered and fully automated approach to prevent exploit kits and other dynamic threats from infiltrating your system. By preventing execution with interlocking protection layers, you can help your organization stay secure.


There are many fascinating tidbits to take away from a thorough examination of exploit kits and how they work, such as the crimeware-as-a-service model, the all-in-one aspect, and their innovative obfuscation tactics. But the most salient lesson is this: If it seems like a certain threat has taken a backseat, be careful—it could very well be still dangerous. Exploit kits may wax and wane in popularity, but they are a threat that’s here to stay.