Home Malware Programs Malware Capesand Exploit Kit

Capesand Exploit Kit

Posted: November 6, 2019

The Capesand Exploit Kit is a threat that takes advantage of browser vulnerabilities for drive-by-download attacks. Exposure to it can result in infecting an unprotected computer, with probable payloads including Remote Access Trojans (or RATs) and backdoor Trojans. Users should maintain strict Web-browsing safety practices while having anti-malware programs block the Capesand Exploit Kit and remove the payloads as appropriate.

Your Browser's Washing Up on the Wrong Cape

A little-known name in the Exploit Kit webspace is getting a makeover, with its threat actors showing both talent and interest in updating its anti-analysis and anti-security features. This brand-new threat is the Capesand Exploit Kit, which operates similarly to the Fallout Exploit Kit, the Angler Exploit Kit and other such well-known names. It uses vulnerabilities in software for compromising the PCs of random users who load the host websites.

The Capesand Exploit Kit is an obvious derivative of a GitHub-hosted EK, Demon Hunter, with much of its code being identical. While it's development is ongoing, and the project shows signs of having incomplete features, it's fully functional at its intended purpose: downloading Trojans and other threats onto users' computers. The Capesand Exploit Kit does so via vulnerabilities that, currently, focus on Internet Explorer (such as CVE-2019-0752) and Flash (such as CVE-2018-4878).

The Capesand Exploit Kit threat actors are using it, along with other tools like the RIG Exploit Kit, for installing two RATs: njRAT and DarkRAT, Remote access tools that provide administrative capabilities over the victims' computers. Like other EKs, the Capesand Exploit Kit requires a website 'host,' which in this case, is a series of typo-squatting domains. These sites have content copied from legitimate ones, as well as URLs that are only slightly off from the 'original' ones (as an example: 'Ggoogle' instead of 'Google').

The result is a PC that's infected and handed over to the attacker's control while the user did little other than mistyping an address or following a corrupted and disguised weblink.

Shutting Unsafe Locales Out of Your Browser

The Capesand Exploit Kit includes various advantages that malware experts take note of versus other black hat packages for Trojan delivery. It has significant obfuscation that employs multiple DLLs, along with its final payload using process injection, and several files using misleading names, such as one DLL that references Nvidia GPU company. The drive-by-download also can use privilege-escalating techniques for avoiding needing permission for launching files with admin privileges. Features like these hinder both victims and automated security tools from identifying the threat during the attack.

On the other hand, malware experts find that many exploits are preventable by installing the supplied security patches. Users also should consider avoiding Internet Explorer, which forms a significant portion of the Capesand Exploit Kit's vulnerability arsenal and can disable Flash from running on websites automatically. Visible symptoms of the RATs that the Capesand Exploit Kit installs are, as per usual, minimal or non-present.

Paying attention to Web addresses while typing or following links can lower one's chances of exposure to the Capesand Exploit Kit or other, typo-squatter-using threats. Infected systems should have compatible anti-malware services to remove the Capesand Exploit Kit's payloads immediately, and most anti-malware programs should provide anti-drive-by-download features.

While it's taking over for a much more well-known EK, the Capesand Exploit Kit is an alternative for criminals with unique segregation of its exploits from the rest of its body. This separation might reduce the Capesand Exploit Kit's efficiency, in some ways, but also opens it up to a world of potential business uses – for criminals.

Loading...