Exploit kits didn't completely hibernate over the winter, but they didn't show much signs of life either, with no major changes to their features and a relatively low infection volume compared to malicious spam, according to Malwarebytes.
In its Winter 2017 review of exploit kit activity, the company on Thursday concluded that the lack of changes on the EK front is "in part due to the lack of fresh and reliable exploits in today's drive-by landscape."
The RIG EK, whose primary payloads are the Cerber and CryptoShield ransomware programs, remains the most popular exploit kit, and is being used in both malvertising and website compromise campaigns, Malwarebytes noted. While RIG's URL and source code hasn't notably evolved, it is now using a pre-landing page to filter bots and other non-legitimate traffic.
In other minor developments, Malwarebytes reported that the Sundown EK keeps changing its URL patterns, primarily for its Flash exploit and payload URLs, while the Neutrino EK, which uses a pre-filtering gate to check infected machines for virtualized environments and security software, seems to be the "weapon of choice for special malvertising attacks that are difficult to reproduce."
Additionally, the Magnitude EK, which uses decoy finance or bitcoin websites with a special HTTP referer to lead victims to its malicious gate, has been restricted to Asia for the moment, the report stated.
Based on Malwarebytes' observations over the winter, Pseudo-Darkleech and EITest are the most popular redirection campaigns from websites compromised with malicious code.
Jerome Segura, lead malware intelligence analyst at Malwarebytes, said that the decline in EK activity across the board can be traced back to around the same time the Angler EK went down in June 2016, following the crackdown on the Lurk cyber gang.
"When it vanished... the remaining exploit kits simply could not fill the void and bring the same quality and freshness of exploits," said Segura, in an email interview with SC Media. "Over time, those vulnerabilities that were being used simply got older and less potent to properly infect end users."
"In the meantime, Microsoft has been pushing Windows 10 and made Edge the default browser. Both have more robust protection against exploit kits," Segura continued. "Another factor is the automatic updates by default that are built into Windows 10, making the time frame to leverage new vulnerabilities much smaller."
Because of these improved protections against vulnerabilities, many cybercriminals today prefer social engineering scams over exploit kits, Segura noted, as it remains very effective to trick users into infecting themselves.