Threat Database Malware HanJuan Exploit Kit

HanJuan Exploit Kit

By GoldSparrow in Malware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 207
First Seen: June 25, 2015
Last Seen: August 28, 2022
OS(es) Affected: Windows

The HanJuan Exploit Kit is an exploit kit that, until recently, was unknown to PC security researchers. The first signs of the HanJuan Exploit Kit started to appear in the Summer of 2014, but it was still unknown exactly what type of attack was being carried out. Today, PC security analysts know that the 'unknown' exploit kit being used in the attacks that Summer is the HanJuan Exploit Kit. One of the reasons why malware researchers were unsure about the nature of the HanJuan Exploit Kit was that many existing exploit kits associated with redirecting scripts will use misleading tactics to make the PC user believe that are new threats in order to waste PC security analysts' time. However, the tactics used by the HanJuan Exploit Kit in its early days were novel enough to catch the attention of malware researchers around the world.

Digging into the Inner Workings of the HanJuan Exploit Kit

Many malware researchers have participated in clearing up exactly how the HanJuan Exploit Kit works and carries out its attack. What gave away the identity of the HanJuan Exploit Kit was a distinctive traffic pattern. The URLs used in the HanJuan Exploit Kit attacks were completely new, not seen before in other types of exploit kit attacks. The HanJuan Exploit Kit's size did not match up with the file size of any known exploit kits.

The HanJuan Exploit Kit targets vulnerabilities in two programs: Adobe Flash and Microsoft Silverlight. Most exploit kits may try to attack both or more vectors simultaneously. The HanJuan Exploit Kit is more discerning, trying one exploit at a time before moving on to the next one. The HanJuan Exploit Kit will give preference to Silverlight exploits before attempting Flash exploit attacks. Although this may seem less powerful, it is substantially more effective since it may make security software's and PC security researchers' tasks much more difficult than normal. The HanJuan Exploit Kit will try to take advantage of vulnerabilities in these programs to download and execute a threatening file on the targeted computer. The HanJuan Exploit Kit will perform a thorough check for any services, applications, memory processes, and other characteristics that may be associated with virtual environments or sandboxes that are used by PC security analysts to study threats. The HanJuan Exploit Kit will use substantial obfuscation to make it more difficult for its attacks and characteristics to be observed by security researchers.

The HanJuan Exploit Kit is being used to deliver browser hijackers, install numerous PUPs (Potentially Unwanted Programs) simultaneously to carry out their attack and profit from advertising on the affected computer. The HanJuan Exploit Kit has been notorious in the way the HanJuan Exploit Kit keeps its attacks quiet which may make it very difficult for PC security analysts to blacklist IP addresses associated with the HanJuan Exploit Kit or locate its servers geographically. In fact, malware analysts suspect that the HanJuan Exploit Kit has been active for much longer than what is currently confirmed, but has been particularly effective at evading detection or blending in with other types of exploit kits.

Payloads that may be Associated with the HanJuan Exploit Kit

The HanJuan Exploit Kit has been associated with numerous payloads in the last year. The HanJuan Exploit Kit itself merely exploits vulnerabilities on the victim's computer in order to deliver corrupted files or execute threatening code. The code or files delivered may vary depending on the attacker's intentions. For all intents and purposes, the HanJuan Exploit Kit could be used to deliver a perfectly harmless file to a computer (although there is no practical reason to do so). Recently, malware analysts observed that the HanJuan Exploit Kit attacks were compromised advertisements to deliver threatening information-collecting Trojans designed to gather victims' credit card and online banking information.


Most Viewed