Counter-Infiltration: Future-Proof Counter Attacks Against Exploit Kit Infrastructure

Presented at Black Hat Asia 2018, March 23, 2018, 11:45 a.m. (60 minutes)

Recently, operators behind exploit kit-as-a-service offerings have put more effort into hiding their operational infrastructure while providing better service to their customers. Namely, almost all popular exploit kits nowadays are operated using sophisticated networks of several servers such as proxies or gates, VDS (Virtual Dedicated Server), rotators, uploaders, panel servers, APIs and more. This complex setup makes it very hard for researchers to analyze the inner workings of these networks, thus limiting the information security community's ability to respond to such threats. However, this customer facing approach also exposes the operators to direct attacks from researches. <br> <br> Over the past year, we have replicated several exploit kit infrastructures from leaked sources. This allowed us to gain a deeper understanding of their inner workings, choke points, and weaknesses. We discovered several attacks with the potential to take down an exploit kit that may be performed with nothing but regular customer privileges. We also found that code and design-pattern re-use among different exploit kits is frequent, thus allowing us to use the same attacks against several networks and even discover new malicious servers. It is likely that the same approaches will work for the detection and takedown of future exploit kits as well. In this presentation, we will share our findings, analytical approaches and recommendations for future engagement with similar offerings. We will also share insights into the customers of these services.


  • Yin Minn Pa Pa - Security Researcher, Cyber Security Laboratory, PwC
    Yin Minn Pa Pa is originally from Myanmar and currently working as a researcher at PwC Cyber Services, PwC Japan. Before she came to Japan, she worked as an IT engineer for the government of Myanmar. She earned her doctorate of engineering from Yokohama National University, Japan in 2016. Her research interests include network security, malware analysis, IoT security, web security She was the author of research papers presented and published at the following conferences and journals: RAID 2016, France, ICSS 2016, Japan, USENIX WOOT 2015, USA, CSS 2015, Japan, SCIS 2013, Japan ICSS 2013, Japan, Asia-JCIS 2013, Korea, IWEC 2012, Japan, Journal of Information Processing, Japan (Vol 57, Vol 24, Vol 23).
  • Takahiro Kasama - Senior Researcher, NICT
  • Masaki Kamizono - Head of Laboratory, PwC Cyber Services, PwC Japan
  • Hiroshi Kumagai - Senior Researcher, PwC Cyber Services, PwC Japan