Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”
Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to paying customers.
Styx customers might expect such niceties for the $3,000 price tag that accompanies this kit. A source with access to one Styx kit exploit panel that was apparently licensed by a team of bad guys shared a glimpse into their operations and the workings of this relatively slick crimeware offering.
The Styx panel I examined is set up for use by a dozen separate user accounts, each of which appears to be leveraging the pack to load malware components that target different moneymaking schemes. The account named “admin,” for example, is spreading an executable file that tries to install the Reveton ransomware.
Other user accounts appear to be targeting victims in specific countries. For example, the user accounts “IT” and “IT2” are pushing variants of the ZeuS banking trojan, and according to this Styx panel’s statistics page, Italy was by far the largest source of traffic to the malicious domains used by these two accounts. Additional apparently country-focused accounts included “NL,” AUSS,” and “Adultamer” (“amer” is a derisive Russian slur used to describe Americans).
An exploit kit — also called an “exploit pack” (Styx is marketed as “Styx Pack”) is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed.
Unlike other kits, Styx doesn’t give a detailed breakdown of the exploits used in the panel. Rather, the panel I looked at referred to its bundled exploits by simple two-digit numbers. This particular Styx installation used just four browser exploits, all but one of which targets recent vulnerabilities in Java. The kit referred to each exploit merely by the numbers 11, 12, 13 and 32.
According to the considerable legwork done by Kafeine, a security blogger who digs deeply into exploit kit activity, Styx Kit exploit #11 is likely to be CVE-2013-1493, a critical flaw in a Java browser plugin that Java maker Oracle fixed with an emergency patch in March 2013. Exploit 12 is almost certainly CVE-2013-2423, another critical Java bug that Oracle patched in April 2013. In an instant message chat, Kafeine says exploit #13 is probably CVE-2013-0422, a critical Java vulnerability that was patched in January 2013. The final exploit used by the kit I examined, number 32, maps to CVE-2011-3402, the same Microsoft Windows font flaw exploited by the Duqu Trojan.
The Styx stats page reports that the hacked and malicious sites used by this kit have been able to infect roughly one out of every 10 users who visited the sites. This particular Styx installation was set up on June 24, 2013, and since that time it has infected approximately 13,300 Windows PCs — all via just those four vulnerabilities (but mostly the Java bugs).