Skip to main content
Skip to main content
Microsoft Security

Exploit kits remain a cybercrime staple against outdated software – 2016 threat landscape review series

  • Microsoft Defender Security Research Team

Despite the disruption of Axpergle (Angler), which dominated the landscape in early 2016, exploit kits as a whole continued to be a threat to PCs running unpatched software. Some of the most prominent threats, from malvertising to ransomware, used exploit kits to infect millions of computers worldwide in 2016.

The prevalence of exploit kits as an infection vector can be attributed to these factors: 1) they continue to use old but effective exploits while efficiently integrating new ones, 2) they are easily obtained from underground cybercriminal markets; and 3) there remains a significant number of machines that are potentially vulnerable because they run unpatched software.

Using up-to-date browser and software remains to be the most effective mitigation against exploit kits. Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.

(Note: This blog post is the first in the 2016 threat landscape review series. In this blog series, we look back at how major areas in the threat landscape, including ransomware, macro malware, support scam malware, and unwanted software, have transformed over the past year. We will discuss trends that have emerged, as well as security solutions that tackle threats as they evolve.)

Meadgive gained ground as Axpergle is disrupted

In the first five months of 2016, Axpergle (also known as Angler exploit kit) infected around 100,000 machines monthly. However, sometime in June, the exploit kit vanished. Reports associated this development with the arrest of 50 hackers in Russia.

Axpergle is primarily associated with the delivery of the 32- and 64-bit versions of Bedep, a backdoor that also downloads more complex and more dangerous malware, such as the information stealers Ursnif and Fareit.


Figure 1. Monthly encounters by exploit kit family

The disappearance of Axpergle made way for other exploit kits as cybercriminals presumably looked for alternatives. The Neutrino exploit kit started dominating for around three months, but scaled down in September. Reports say that Neutrino operators went into “private” mode, choosing to cater to select cybercriminal groups.

A look at the year-long trend shows that Meadgive (also known as RIG exploit kit) filled the hole left by Axpergle and Neutrino (and Nuclear before them). By the end of 2016, while overall volume has gone down, most exploit kit activity can be attributed to Meadgive.

Meadgive has been around since March 2014. Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file.

Even with the decreased activity, exploit kits continue to be a global threat, having been observed in more than 200 countries in 2016. They affect the following territories the most:

  1. United States
  2. Canada
  3. Japan
  4. United Kingdom
  5. France
  6. Italy
  7. Germany
  8. Taiwan
  9. Spain
  10. Republic of Korea


Figure 2. Geographic distribution of exploit kit encounters

Exploit kits in the ransomware trail

As exploit kits have become reliable means to deliver malware, it is not surprising that ransomware, currently the most prevalent malware, continue to use them as launch pads for infection.

Meadgive, for instance, is known for delivering one of the most active ransomware in 2016. As late as December 2016, we documented new Cerber ransomware versions being delivered through a Meadgive exploit kit campaign, on top of a concurrent spam campaign.

Neutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, Locky also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we’re seeing Locky being distributed more and more through spam campaigns.

Top malware families associated with exploit kits

Malware family Related exploit kit family
Backdoor:Win32/Bedep Axpergle (Angler)
Backdoor:Win64/Bedep Axpergle (Angler)
Ransom:Win32/Cerber Meadgive (RIG)
Ransom:Win32/Locky Neutrino
Trojan:Win32/Derbit SundownEK

Integrating exploits at a slower rate

While exploit kits rely on exploits for patched vulnerabilities, they also continually update their arsenal with newer exploits in the hope of casting bigger nets. This also allows them to take advantage of the window of opportunity between the release of a security fix and the time it is actually applied by users. Notably, the rate with which exploit kits integrate exploits for newly disclosed vulnerabilities is lower than in previous years.

Of the major exploits used by kits in 2016, one is relatively old—an exploit for a Microsoft Internet Explorer bug that was disclosed and patched back in 2014 (CVE-2014-6332). Four major kits use an exploit for the Adobe Flash vulnerability CVE-2015-8651, which was patched back in 2015.

Three exploits disclosed in 2016 were seen in exploit kits, showing that operators still attempt continually improve their tools. One of these is a zero-day exploit for Adobe Flash (CVE-2016-1019) used by Pangimop at least five days before it was patched. However, this particular zero-day is a “degraded” exploit, which means that it worked only on older versions of Adobe Flash. The exploit did not affect the latest version of the software at the time, because Adobe previously introduced stronger exploit mitigation, which Microsoft helped build.

Major exploits used by exploit kits

Exploit Targeted Product Exploit kit Date patched Date first seen in exploit kit
CVE-2014-6332 Microsoft Internet Explorer (OLE) NeutrinoEK November 11, 2014 (MS14-064) November 19, 2014
CVE-2015-8651 Adobe Flash Axpergle, NeutrinoEK, Meadgive, SteganoEK December 28, 2015 (APSB16-01) December 28, 2015
CVE-2016-0189 Microsoft Internet Explorer NeutrinoEK May 10, 2016 (MS16-051) July 14, 2016
CVE-2016-1019 Adobe Flash Pangimop, NeutrinoEK April 7, 2016 (ASPB16-10) April 2, 2016 (zero-day)
CVE-2016-4117 Adobe Flash NeutrinoEK May 12, 2016 (ASPB16-15) May 21, 2016


We did not see exploit kits targeting Microsoft’s newest and most secure browser, Microsoft Edge, in 2016. Only a few days into the new year, however, SundownEK was updated to include an exploit for an old vulnerability that was patched a couple of months prior. Microsoft Edge applies patches automatically by default, rendering the exploit ineffective.

It was also SundownEK that integrated steganography in late 2016. Steganography, a technique that is not new but getting more popular with cybercriminals, hides information like malicious code or encryption keys in images.

Instead of loading the exploit directly from a landing page, SundownEK downloads an image that contains the exploit code. This method is employed to avoid detection.

Stopping exploit kits with updates and a secure platform

While we see a willingness among cybercriminals to switch from exploit kits to spam and other vectors, there is a clear desire to continue using kits. We see cybercriminals switch from one kit to another, replacing kits as they become unavailable. Meanwhile, exploit kit authors continue to keep their wares attractive to cybercriminals by incorporating new exploits.

Keeping browsers and other software up-to-date can counter the impact of exploit kits. Microsoft Edge is a secure browser that gets updated automatically by default. It also has multiple built-in defenses against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, Microsoft SmartScreen, which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages, such as landing pages used by exploit kits.

At the same time, running a secure platform like Windows 10 enables users to benefit from advanced security features.

Windows Defender uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.

Windows 10 Enterprise includes Device Guard, which can lock down devices and provide kernel-level virtualization based security.

Windows Defender Advanced Threat Protection alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.






Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.