Empire Pack EK
The Empire Pack EK is an update of the RIG Exploit Kit. Although its threat actors aren't selling it on the Dark Web, it is in use for similar drive-by-download attacks that drop threatening software onto vulnerable systems. Users can protect themselves with relevant Web-browsing safety procedures, such as turning off JavaScript and have anti-malware programs for removing the Empire Pack EK's payloads.
An Empire Builds Itself on a 'Rigged' Foundation
The threat actors selling the RIG Exploit Kit's Trojan-installing services to other criminals are changing their operations significantly and moving into, possibly temporarily, a private model. This update or fork of the EK uses a new name, the Empire Pack EK, and isn't hireable by third parties. It also boasts of some infrastructural changes, although malware experts see no pivots away from the basics of using browser vulnerabilities for dropping harmful software onto the systems of victims.
The Empire Pack EK runs on either hacked or intentionally-corrupted websites and uses vulnerabilities like Exploit.CVE-2014-1761.Gen or Exploit:Java/CVE-2013-1493 for downloading and executing files on your computer or mobile device. These attacks, generally, use an old exploit for features like JavaScript, Java, or Flash, and can compromise devices with no or misinformed consent for the installation by the user. Such attacks are useful for spreading threats like file-locking Trojans, spyware or RATs.
The Empire Pack EK is, ominously, retooling itself for improving its large-scale coordination of traffic, which implies future campaigns of significant sizes. In contrast to the older RIG Exploit Kit, the Empire Pack EK supports an internal TDS or Traffic Distribution System that lets the threat actors deliver more than one kind of payload without needing a separate thread for each one. This feature, also, weans the Empire Pack EK off of external resources like BlackHat TDS. As usual, the Empire Pack EK can configure its attacks for treating targets differently, according to their IP addresses or operating system details, which allows for maximizing the payload's compatibility and avoiding infecting the wrong targets (such as a cyber-security analysis environment).
Ending Imperial Rule over Your Browser
The Empire Pack EK is a fully-fledged and independent branch from the RIG EK that it springs from, and implements a different API package, RC4 encoding, and other features that imply that it's a successor to the old threat's throne. For victims, however, few of its changes make any differences to the necessary forms of protection from it. Malware experts continue advising that users disable scripts and other, vulnerable browser features, blacklist domains with histories of threatening activity, and update all software for keeping an Empire Pack EK from infecting their systems.
Compromised websites can host Exploit Kits like the Empire Pack EK inadvertently. Site admins should update their software, especially when they're using a prevalent free or commercial CMS, avoid highly crackable passwords, and scan the site periodically for the presence of corrupted code. Most anti-malware brands provide protection for blocking or removing the Empire Pack EK from either side of the equation – the victim, or the host.
The Empire Pack EK may not be a commercial offering, yet, but it has all of the leverage for going in that direction when its threat actors wish it. More relevantly to most readers, its attacks can succeed based on the frailty of one's browser security, whether or not they're the result of another set of criminals.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.