As malware writers are moving to Neutrino and RIG exploit kits (EK) for dispersal needs, security experts are investigating how distribution is innovating, and they are generally signaling a huge change. The exploit kit traffic is just a small proportion of what it previously was dropping a whopping 96% since early April.
The summer of 2016 begins with a serious change around the malware landscape, powered by the evident decline of several of the biggest names out there: the Angler and Nuclear exploit kits, as well as the Necurs botnet, which helped bring down Dridex and Locky ransomware. The malware sector obviously took a hit when all these larger names faded away.
The earliest to vanish was Nuclear, which has been last seen at the end of April, and which was mainly substituted by Angler. Around since 2009, Nuclear is the longest running exploit kit in existence, and it’s still unsure whether its disappearance is permanent. Its controllers may have taken a long holiday and might return eventually.
In April, Check Point analysts released an in depth analysis of the Nuclear infrastructure (PDF), and it was accompanied with a second document about a month ago, when they disclosed that the group associated with the EK is generating around $100,000 per month. They also found that the EK, which had been actively updated in mid-April, was managed by a group of programmers led by a person located in Krasnodar, Russia.
After Nuclear, the Necurs botnet went down at the end of May, which led to Dridex and Locky malware reaching a halt on June 1. Though their infection campaigns added up to over a hundred million spam emails, the two pieces of malware were so strongly related Necurs that they fell alongside it and attempted a slow recovery a week later.
The biggest hit that the malware field took this year was the shutdown of Angler, which had been the most used and effective exploit kit being sold, accounting for nearly two-thirds of all EK visitors in the first three months of the year. Angler’s shutdown, however, may have a reasoning: it seems connected to the recent 50 arrests in Russia which were linked to users of the Lurk malware.