The Magnitude EK, active since 2013, is one of the longest-running exploit kits used, with many of its most recent victims coming from Asia. It is usually seen distributing Cerber ransomware.
It survived the downfall of other popular exploit kits of its time, but it’s not being used as widely anymore, as it is no longer being publically rented out.
Similar to other exploit kits, Magnitude uses landing pages, gates, and JavaScript as part of its infection chain. It also uses fingerprinting methods such as checking the operating system, the version of Adobe Flash that the user has installed, and the geographical location of the victim.
Researchers refer to this process as “Magnigate,” as the exploit kit will use this information to profile the user and decide whether or not to infect them with malware.
For example, researchers at Zscaler saw that one of the campaigns using Magnitude would infect people in Taiwan, but ignore users in countries like South Korea.
Users not targeted for malware distribution will instead be served a decoy website.
To help prevent analysis by researchers, some of the landing pages track the IP address of the user to prevent the user from being served exploits multiple times.
Enabling TSCritical and Drive By targets in policies for ThreatSTOP DNS and IP Firewall Services, protects against exploit kits like Magnitude EK. If you do not have a ThreatSTOP account,
If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our