Exploit kit adds rare Chrome browser attack chain

The operators of the Magnitude exploit kit have added support for an attack chain targeting the Chrome web browser, a rare sighting since the very few exploit kits that are still active today have only targeted Internet Explorer over the past few years.

Exploit kits (EKs) are web applications installed on websites that work by detecting the user's browser and launching a web-based exploit to infect the visitor's computer with a payload (malware).

Exploit kits have been used by malware gangs since the late 2000s and were a crucial part of the malware ecosystem in the first half of the 2010s.

Together with email spam, exploit kits were the two most common ways that malware groups targeted and infected users for more than a decade, being used in both cybercrime operations but also by nation-state cyber-espionage efforts.

Their usage began to decline in the late 2010s because of several law enforcement crackdowns against some EK operators and as browser vendors started adding security features to prevent easy exploitation by EK operators.

All in all, EKs have barely had any significant impact on the cybersecurity landscape since 2017, but that hasn't stopped some threat actors from developing new ones.

Over the past four years, several exploits kits like Spelevo, Fallout, RIG, Underminer, RouterEK, and Magnitude have been released, and most of these have been fringe players on the threat landscape.

During that time, EK operators also lost their best programmers who left to work with other cybercrime operators. For the past few years, instead of researching and deploying their own custom zero-day exploits, most EKs have limited themselves to integrating publicly disclosed vulnerabilities into their exploit arsenals.

Throughout recent years, EK operators only focused on attacking Internet Explorer users, as attacks against more modern browsers usually involved two or three-step exploit chains, which operators could rarely develop on their own or get their hands on.

Right now, Magnitude is one of the most active EKs on the market, regularly seeing updates (in the form of rather new IE exploits) added to its arsenal (see 2020, 2021 reports).

Magnitude adds PuzzleMaker's exploit chain

But today, security firm Avast said it found a new exploit chain in the Magnitude codebase that allows it to target Chrome users, something that hasn't been seen in ages for an EK and considered a holy grail for EK operators since this allows them to target most of today's web users.

#MagnitudeEK is now stepping up its game by using CVE-2021-21224 and CVE-2021-31956 to exploit Chromium-based browsers. This is an interesting development since most exploit kits are currently targeting exclusively Internet Explorer, with Chromium staying out of their reach.

— Avast Threat Labs (@AvastThreatLabs) October 19, 2021

According to Avast, the exploit chain utilizes a Chrome vulnerability patched in April (CVE-2021-21224) to escape the browser's security sandbox and a Windows elevation of privilege patched in June (CVE-2021-31956) to attack the underlying operating system.

While proof-of-concept code has been available for the Chrome exploit since April, code for the Windows bug was never publicly released.

But Avast also points out that this exact same combination of a Chrome and Windows exploit chain was also seen before, earlier this year, in a cyber-espionage campaign discovered by Kaspersky.

Called PuzzleMaker, Kaspersky said the exploit chain didn't have any connections to any previously known threat actor, was hidden inside a legitimate-looking geopolitical news portal, and described the entire operation as "a wave of highly targeted attacks against multiple companies."

Although Avast's discovery is important because of a rare sighting of an exploit kit going after Chrome and Chromium-related browsers, other questions still remain, such as how did a quasi-dead EK group get its hands on such a high-grade exploit chain and how effective is the exploit chain to begin with.

But there's also good news, in the sense that the Windows exploit is not universal and will only work against a small number of Windows 10 versions.

"The attacks we have seen so far are targeting only Windows builds 18362, 18363, 19041, and 19042 (19H1–20H2). Build 19043 (21H1) is not targeted," Avast researchers said.