
A recently discovered exploit kit dubbed Capesand is being involved in live attacks despite the fact that it’s still under development.
In October 2019, researchers at TrendMicro discovered a new exploit kit dubbed
Experts pointed out that the code of the
“In the middle of October, we found a

Trend Micro uncovered a
The analysis of the source code of the page revealed that its content was copied using the
The
“In the case we identified, the campaign deployed it with their fake
The list of vulnerabilities exploited by the
Another interesting aspect of the
The API request includes the following information on the victims:
- Requested exploit name
- Exploit URL in configuration
- Victim’s IP address
- Victim’s browser user-agent
- Victim’s HTTP referrer
The information is AES encrypted with a pre-generated API key
Further investigation allowed the experts to discover a version of Capesand using exploits for the following vulnerabilities:
- CVE-2015-2419
( IE); - CVE-2018-4878 and CVE-2018-15982 (Adobe Flash)
- CVE-2018-8174 (IE);
“But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code.” states Trend Micro. “This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the
Experts discovered that crooks are also distributing malicious landing pages via mirrored versions of legitimate websites and use domain names similar to the originals to avoid detection.
“Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’.” concludes the analysis.
“In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Capesand exploit kit, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]



