Exploit Kits

Bart Lenaerts-Bergmans - December 28, 2022

Bad actors are constantly finding new ways to attack the security of businesses. One method for these attacks is using exploit kits. These tools target vulnerabilities and often spread malware to make businesses weaker to future attack. Exploit kit attacks happen in multiple stages and target specific types of security vulnerability.

To stay safe from exploit kit attacks, you must know how they work and what makes them successful. With the proper cybersecurity measures, your business can be safe from exploit kit attacks. By diving into examples of exploit kit attacks, you can gain a better understanding of how they function. Protecting your business from exploit kit attacks is an important part of your cybersecurity.

What is an Exploit Kit?

An exploit kit is a toolkit that bad actors use to attack specific vulnerabilities in a system or code. Once they take advantage of these vulnerabilities, they perform other malicious activities like distributing malware or ransomware. These toolkits are named this way because they use exploits, code that takes advantage of security flaws and software vulnerabilities. While exploits can be written by security teams to prove potential threats, they are usually created by attackers.

Examples of Exploit Kits

Some exploit kits deliver malicious ads on commonly visited websites like YouTube and Yahoo. Others take advantage of flaws in commonly used programs like Adobe Flash Player. Exploit kits like these are even linked to other attacks like ransomware against a variety of organizations. Because they are groups of tools, exploit kits typically work on more than one vulnerability. Some well-known examples of exploit kits include:

  •  Angler exploit kit, a powerful exploit kit discovered in 2013 that attacked Java, Silverlight and Flash. It worked by encrypting and decrypting data using transposition encryption.
  •  HanJuan exploit kit, an exploit kit that cybercriminals used for malware advertising attacks using shortened URLs and false ads in 2015.
  •  Magnitude exploit kit, an exploit kit that targeted browser vulnerabilities of Internet Explorer, which had further exploits added in 2021.
  •  Rig exploit kit, an exploit kit discovered in 2014 that spreads through malware advertisements, hiding malware in downloadable “security software.”

These are just a few examples of prevalent and notable exploit kits. A full list of exploit kits would be extensive, but the important thing to know to protect your business is how they work.

How Exploit Kits Work

Exploit kits usually function the same way, regardless of target or type of malware. This starts by taking advantage of a compromised website. After following through several stages, exploits are executed, releasing malware and disrupting the business’s day-to-day. There are also two-stage exploit kits emerging, meant to work with a much wider net.

How an Exploit Kit Attack Is Executed

The initial setup for an exploit kit is to start with a compromised website. The compromised webpage will begin to redirect traffic to a separate landing page. In the new landing page is malicious code that will examine a victim’s device for any vulnerable browser applications. Once this is done, the exploit kit will follow through several stages until the target is infected with malicious code.

Stages of an Exploit Kit Attack

An exploit kit attack typically happens in the same set of stages, no matter what malware it is carrying or which kind of business is being targeted. This includes exploits such as the zero-day Adobe Reader PDF exploits.

  •   Create a connection to a host environment using a landing page.
  •   Redirect traffic to a different landing page, then detect vulnerabilities where exploits in the toolkit can be used.
  •   Implement the relevant exploits and spread malware across the system.
  •   Execute the malware, infecting the host environment with malicious code

Aside from these standard stages, there is also a two-stage exploit, a type first seen in 2021. These exploits first use a broad attack designed to lure in many people. Then, malware is executed only when those people meet certain criteria. Different exploits target different security vulnerabilities depending on the target of the attack.

Vulnerabilities Targeted by Exploit Kits

Understanding which types of vulnerabilities that exploit kits can and can’t attack can help your business to properly defend against them. Some exploit kits are client-side attacks, meaning they only work when a victim has downloaded malicious content. Stopping malicious code from being downloaded can help reduce security vulnerabilities.

Types of Vulnerabilities Targeted

There are some vulnerabilities that exploit kits are unable to attack. These theoretical vulnerabilities are not exploitable for a variety of reasons. An attacker might lack enough public information to exploit a vulnerability. Authorization and local system access requirements can also prevent exploit kits from working.

For a client-side exploit kit attack, the exploits initiate from the victim who downloaded the malicious code. An example of this is a fake Google Chrome download that hijacks browser activity and delivers custom ad content. Whether an exploit kit is client-side or server-side, it is designed to take advantage of security vulnerabilities such as:

Many vulnerabilities in code exist without any red flags, which means they can go undetected. The list of exploitable vulnerabilities is long, so how can you protect against exploit kits?

How to Protect Against Exploit Kits

Protecting against exploit kit attacks means you need to understand where your business is vulnerable and take appropriate security measures. Exploit kits are widely used because they are simple to execute and often result in significant profit for the attacker. There are several steps you can take to protect you and your business from exploit kit attacks.

Why Exploit Kit Attacks Are Successful

Exploit kits are automated and a popular method of mass malware distribution. This lowers the barrier for attackers, and once an exploit kit has done its job, attackers can easily generate profit. By attacking known security vulnerabilities, exploit kits are very effective. They can also go undetected more easily if you don’t know what activity to look for.

Staying Safe From Exploit Kit Attacks

There are several steps you can take to stay safe from an exploit kit attack executed by a threat actor. The first is to invest in your cloud security. This can mean extra training for cybersecurity teams or purchasing security services. While antivirus programs don’t protect you from everything, they can still be a good line of defense.

Patching software frequently so that it remains up to date can help prevent vulnerabilities from building up in your system. Avoiding ads and popups and never clicking on questionable links are also great preventative measures. By abiding by this advice, you can help prevent cyberattacks from harming your business.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.