Capesand Exploit Kit

Capesand is a newly observed exploit kit believed to be based on the older Demon Hunter kit. Despite appearing to still be in active development it is has proven popular on dark web forums, seeing use in a number of campaigns globally.

Threat ID:: CC-3283
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Vulnerability
Published:: 6 November 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions
Microsoft Internet Explorer - All versions
Adobe Flash - All versions

Adobe Flash

Threat details

Unlike most exploit kits, Capesand does not by default include any exploits in its source code. Instead, Capesand's authors provide a packaged frontend, controllable through an API, for affiliate users to deploy on their own servers. When a target user visits a webpage hosted by an affiliate's server, Capesand will attempt to collect their information. This is then sent to the API, which will download an exploit module from an author-controlled server before deploying it. If successful, the exploit module is then removed from the frontend, likely as a means to prevent sharing of Capesand's exploit code.

Capesand is able to exploit vulnerabilities in Adobe Flash Player, Internet Explorer, and the Windows VBScript engine; although it it likely that further exploit will be added in future campaigns. At the time of publication, it has been observed delivering the DarkRAT and njRAT remote access trojans.

For further information:

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

Status

CVE-2015-2419

Last edited: 14 February 2020 2:59 pm