Attackers try to use the new Capesand exploit pack with old code

Attackers are testing the Capesand exploit pack, which is under active development. The analysis showed that the new tool borrows the old source codes of a similar project, posted publicly on GitHub five years ago.

The Capesand exploit pack was first spotlighted during a recent malvertising campaign aimed at distributing the DarkRAT and njRAT Trojans. According to Trend Micro observers, in mid-October, exploits for Adobe Flash and Internet Explorer from the RIG suite were used to deliver malware, and by the end of the month, attack authors began experimenting with Capesand.

As a decoy, the attackers used a copy of a certain blockchain blog entry in which they embedded a hidden frame to load a malicious page.

Capesand code turned out to be very primitive in comparison with other exploit packs.

“The Capesand exploit kit’s code is quite simple compared with other kits. Almost all of Capesand‘s functions reuse open-source code, including the exploits, obfuscation, and packing techniques. Further monitoring revealed that its users are actively using it despite its seemingly unfinished state”, — reported researchers.

Its authors took as a basis the long-standing open-source project Demon Hunter, from which they borrowed almost all techniques, including the embedding of malicious codes, its obfuscation and packaging.

At the same time, the plagiarists upgraded malware by including new exploits in their package.

Researchers found in the Capesand arsenal two exploits for Adobe Flash (CVE-2018-4878 and CVE-2018-15982) and two for IE (CVE-2018-8174 and CVE-2019-0752). The latter was first seen in real attacks last summer – at that time, the attackers used a new exploit to implement the SLUB backdoor through two sites using the watering hole method.

Read also:

Further monitoring of Capesand’s attacks showed that it also exploited another vulnerability in IE – CVE-2015-2419, and the source code CVE-2019-0752 specified in the source code is not yet used. Apparently, the authors of the new tool have not yet managed to integrate all the exploits that they plan to use.

It is noteworthy that Capesand code on the client side does not contain exploits, but calls for them on its server using the API. In the request, it indicates the name of the exploit, its URL (from the configuration file), the victim’s IP address, and User Agent data. All this information is encrypted with the specified AES key, which the server checks before giving the payload.

After completing the exploit, the mess.exe file is downloaded to the victim’s machine; during testing, an attempt was also made to exploit the vulnerability CVE-2018-8120 to increase privileges on Windows. Following this was the execution of njcrypt.exe – a repeatedly obfuscated application on .NET responsible for delivering the target malware. In the case of Trend Micro, it turned out to be njRAT version 0.7d.

The researchers believe Capesand is still being developed and is evolving in a direction that may allow it to distribute malicious landing pages through mirrored versions of the legitimate site by using typosquatting.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Ragnar Locker and Virtual Machines

Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.