Askeal Logo

Exploit Kit

An exploit kit is a packaged toolkit that automates the discovery and exploitation of vulnerabilities in client software to deliver malware.

What is an exploit kit?How it typically works?Common techniques & variantsImpactFurther reading

What is an exploit kit?

Exploit kits are commercialized or criminal toolchains that probe client environments for vulnerabilities and attempt to exploit any weak points to install payloads. Typically deployed via malvertising or compromised websites these kits detect browser versions, plugins and missing updates to choose an appropriate exploit. Famous historical kits include Angler and Neutrino which drove large scale drive by download operations. While many classical exploit kits declined due to better browser hardening and takedown operations the concept persists in targeted frameworks and modular toolchains used by attackers.

How it typically works?

  1. Landing page and redirection: victims reach a malicious or compromised site that redirects to the exploit kit landing page.
  2. Fingerprinting: the kit probes browser, plugin, and system versions to select available exploits.
  3. Exploit attempt: the chosen exploit is delivered to the client to execute code.
  4. Payload drop: once the exploit succeeds a downloader or final payload installs on the host.
  5. Command and control: the payload contacts attacker infrastructure for follow on actions.

Common techniques & variants

  • Drive by download kits: compromise web traffic through malvertising and redirect chains to deliver exploits.
  • Modular kits: plug in new exploits for emerging vulnerabilities and swap payload modules.
  • Exploit chaining: combine several exploits to maximize success across diverse clients.
  • Silent fallback: if one exploit fails kits try alternate vectors to avoid detection.
  • Targeted exploit frameworks: evolved versions tailored for high value targets using custom exploits.

Impact

Exploit kits are efficient distribution mechanisms for malware and have powered many large scale campaigns in the past. They increase the chance of exploitation by automating fingerprinting and fallback logic and by matching exploits to client weaknesses. For SecOps teams exploit kits are relevant because they represent common infection vectors for drive by and browser based compromises. Defenses focus on reducing attack surface through patching and browser hardening, blocking malicious ad networks, and monitoring unusual process creation from user browsing contexts.

Further reading

  • Symantec: exploit kit history and analysis. Read more
  • Kaspersky: exploit kit research. Read more
  • Trend Micro: drive by download campaigns. Read more
  • US CERT: historical advisories on exploit kit activity. Read more

Related topics

Zero Day ExploitsExploit KitLateral Movement