After the fall of the popular Angler and Neutrino exploit kits, several different exploit kits have been vying for dominance in the resulting power vacuum.

Many of these new exploit kits have been unsuccessful in matching the complexity and innovative quality of the old exploit kits, instead relying on repurposed code and exploits from other exploit kits.

One of them, Terror EK, is no exception.

Based heavily off of the Sundown EK, it was first seen advertised on various underground forums by hacker 666_KingCobra. It was also advertised under the names Blaze, Neptune, and Eris, though with little fanfare.

Even with no unique exploits to call its own, the Terror EK has still seen successful use.

In past campaigns, it spread through malvertising and compromised websites, by exploiting vulnerabilities in Internet Explorer, Flash, and Silverlight to drop Smoke Loader and Andromeda onto victim computers.

As it matured Terror EK began using obfuscated JavaScript code to check the victim’s browser environment before choosing which exploits to use. More recently, it’s spread through compromised websites particularly Zloader malware drop sites.

Though exploit kit activity has fallen in the past year, criminal activity has not. Social engineering attacks, such as documents containing malicious embedded macros, have increased accordingly to make up for the lack of reliable exploit kits.

Enabling TSCritical targets in policies for ThreatSTOP DNS Firewall Service and IP Firewall Service, protects against exploit kits like the Terror EK.If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.