Best Security Search
Security News

Terror Exploit Kit Identified

Computer security experts have identified a new dangerous Terror exploit kit which is used to launch dangerous malware attacks on remote victims.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Terror Exploit Kit Is The Latest Hacking Tool

The Terror exploit Kit is a newly identified hacking kit which is yet to unleash its full arsenal. It was discovered recently by security experts and according to their reports it is a fully capable attacking platform.

The software has been created by an unknown developer or a hacking collective and it is updated constantly by its creators. The Terror Exploit Kit in some of the instances where an attack has been reported has dropped cryptocurrency miners to the infected machines. They are used to generate income for the operators.

The security experts have discovered the hackers have used at least 10 different exploits which include the following:

  1. CVE-2014-6332 – OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka “Windows OLE Automation Array Remote Code Execution Vulnerability.”
  2. CVE-2016-0187 – The Microsoft (1) JScript 5.8 and (2) VBScript 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Scripting Engine Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0189.
  3. CVE-2015-5119 – Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
  4. CVE-2015-5122 – Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.
  5. CVE-2013-1670 – The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site.
  6. CVE-2013-1710 – The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.
  7. CVE-2014-1510 – The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call.
  8. CVE-2014-1511 – Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remote attackers to bypass the popup blocker via unspecified vectors.
  9. CVE-2014-8636 – The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
  10. CVE-2015-4495 – The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

The used exploits are a combination of extracted payloads from metasploit and various exploits used by other kits such as Sundown or Hunter.

The landing page created by the developers also includes 8 other exploits that are currently inactive – CVE-2015-3105, CVE-2015-5122, CVE-2015-3113, CVE-2014-0515, CVE-2015-3090, CVE-2015-0359, and CVE-2015-0311 and CVE-2013-2465.

We assume that the kit is still a work in progress and the exploits are still not integrated into the main code as they are have not been fully tested yet. The conducted analysis has concluded that the developer of the virus has crafted multiple test versions. The research shows that the used domains redirect to Sundown landing pages which means that it is likely that a part of the code is based on that exploit kit.

Terror Exploit Kit was found to use only 64-bit executables.

The Terror Exploit Kit and Its Associated Dangers

We have revealed the fact that the Terror EK is still under development. We know that the threat is partially based on Sundown and that gives us an early advantage.

However the fact that Terror EK uses so many software exploits and is adding more payloads and possibilities in its arsenal makes it a very dangerous weapon in the hands of any computer criminal. Exploit kits are modular in nature and they can easily be customized to initiate various attacks.

This is the reason why computer users should always use trusted anti-virus and anti-spyware tools as they can easily detect, remove and protect them against such threats.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.