By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez
We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuously developing it and are reusing source code from a publicly shared exploit kit code.
Discovery and details
In the middle of October, we found a malvertising campaign using the Rig exploit kit and delivering DarkRAT and njRAT malware. By the end of October, however, we noticed a change in the malvertisement and the redirection was no longer to the Rig exploit kit. The cybercriminals shifted to loading an exploit kit we were unfamiliar with. Investigating further led us to a panel provided for this unknown exploit kit to customers. The panel has the name Capesand on it and directly provides the source code of the exploit kit.
Figure 1. Capesand exploit kit panel
Figure 2. Capesand exploit kit traffic pattern
The Capesand exploit kit’s code is quite simple compared with other kits. Almost all of Capesand‘s functions reuse open-source code, including the exploits, obfuscation, and packing techniques. Further monitoring revealed that its users are actively using it despite its seemingly unfinished state.
Analysis of the malvertisement
The malvertisement we observed was delivered from the ad network straight to the victim’s browser and was presented as a blog talking about blockchain. A close check of the source code of the page showed that it was a disguise, as it ..
Support the originator by clicking the read the rest link below.
