Exploit Kit still sharpens a sword

Note: This blog post doesn’t make sense to many

It’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years ago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG Exploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However, even if in 2021, it will not disappear fire still slightly.

In April 2021, I received some incredible notices. For example, there are the following notifications.

Repeat again. It’s 2021 now. Not 2017. Internet Explorer was taken away by Chrome and Edge, and Drive-by Download attack was supposed to die. Why are there still Drive-by Download attacks? Here are some reasons, including the opinions of your friends.

  1. Internet Explorer is still used in some countries/regions including Japan
  2. Due to the influence of corona, remote work has increased, and the number of users with network security vulnerabilities has increased
  3. Internet Explorer vulnerabilities still discovered and exploit code published

In reality, these are intricately intertwined, and there may be different reasons.

In any case, Drive-by Download attacks are still being observed. Moreover, it is a little more active. This is irrelevant for most people. Because most people don’t use Internet Explorer. If you don’t use Internet Explorer, a typical Exploit Kit attack is not a threat. A small number of targeted attacks may use Chrome’s 0day, which is not discussed here.

For the few enthusiastic Internet Explorer users that exist, I write this blog post. In other words, as of April 2021, I will introduce the characteristics of common Drive-by Download attacks that you may encounter. Thanks to my friends (@jeromesegura, @nao_sec members) for helping me write this blog post.

Exploit Kit Landscape

As of April 2021, the following 6 types of Exploit Kits have been observed to be active.

nao_sec has been running a fully automatic Drive-by Download attack observation environment called Augma System[1] for three years. The data observed by this is as follows. Some Exploit Kits are not counted because they are observed in different environments.

The features of the 6 types of Exploit Kits currently observed are as follows.

  Private Update Exploit
RIG No Yes CVE-2020-0674, CVE-2021-26411
Spelevo No No CVE-2018-8174, CVE-2018-15982
PurpleFox Yes Yes CVE-2021-26411
Underminer Yes No CVE-2018-15982
Bottle Yes Yes CVE-2020-1380, CVE-2021-26411
Magnitude Yes Yes CVE-2021-26411

Here is sample traffic for each.

RIG Exploit Kit

RIG is an Exploit Kit that has been active since around 2014. It was extremely active from 2016 to 2017, but then declined with the advent of Fallout and others. However, it is still active in 2021.

RIG started abusing CVE-2021-26411 in April 2021 and are still incorporating changes. Landing Pages are not obfuscated as they used to be. Very simple code. The malware is RC4 encrypted.

Download sample traffic here.

Spelevo Exploit Kit

Spelevo is an Exploit Kit that appeared in 2019. 2020 was very mature, but 2021 is one of the most active Exploit Kits.

Spelevo hasn’t changed for a long time. Spelevo hides the malware in the image. See this article[2] for detailed behavior.

Download sample traffic here.

PurpleFox Exploit Kit

PurpleFox is an Exploit Kit that has been active since 2019. A private exploit kit for sending PurpleFox malware. It’s enthusiastic about exploit and is fairly fast at incorporating new vulnerabilities.

Spelevo has started to exploit CVE-2021-26411 in April 2021. However, the other parts have not changed for a long time.

Download sample traffic here.

Underminer Exploit Kit

Underminer is an Exploit Kit that appeared in 2018. It’s a pretty distinctive Exploit Kit. It is known to be extremely difficult to analyze. It is used to deliver its unique malware called Hidden Bee. See this article[3] for more details.

Underminer has a cycle of activity for several months and then silence for several months. It has been silent since the November 2020, but was revived in April 2021. But the essence hasn’t changed at all.

Download sample traffic here.

Bottle Exploit Kit

Bottle is an Exploit Kit that appeared in 2019. An extremely rare Exploit Kit that targets only Japan. It is used to deliver its unique malware called Cinobi.

It is one of the most active Exploit Kits in Japan. It has not been observed since November 2020, but it was revived in April 2021. It’s also worth noting that unlike other Exploit Kits, it exploits CVE-2020-1380 and CVE-2021-26411. It has been pointed out that it is related to MageCart and phishing campaigns. See this article[4] for more details.

Download sample traffic here.

Magnitude Exploit Kit

Magnitude is one of the oldest existing Exploit Kits. It has been observed only in certain countries/regions such as South Korea and Taiwan, and the details have not been reported much.

Its activity was also reported in April 2021. It exploits CVE-2021-26411 and is still actively evolving.

One more: #MagnitudeEK pic.twitter.com/pOuIZzAPZG

— Jérôme Segura (@jeromesegura) April 14, 2021


Drive-by Download attacks are still observed in 2021. It has nothing to do with most people. As with Adobe Flash Player, stop using Internet Explorer immediately. That is the simplest solution. Drive-by Download attacks continue to exist with Internet Explorer.


[1] https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf
[2] https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit
[3] https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/
[4] http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf

Royal Road! Re:Dive


We introduced the “Royal Road RTF Weaponizer” in our previous blog [1] (and presented at Japan Security Analyst Conference 2020 and CPX 360 CPRCon 2020). Royal Road is a tool shared by many targeted attack groups believed to belong to China. It’s been a year since our previous blog, and Royal Road is still in use. Here, we will introduce the Royal Road-related attacks observed during 2020.

Previous Blog

Let’s briefly review the previous blog. Royal Road is a tool that generates RTF files that exploit the Microsoft Office Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802). The details of the tool are unknown, but the RTF file generated by it has various characteristics. The definition of “RTF file generated by Royal Road” may vary from researcher to researcher. Therefore, we define a file that meets the following conditions as an “RTF file generated by Royal Road”.

  1. Exploiting a vulnerability in Microsoft Office Equation Editor
  2. Containing an object named “8.t”

However, some RTF files are likely to be related to Royal Road, even though they don’t meet the second condition. For classification purposes, we refer to this as “Related Samples”. In reality, this may also be an RTF file generated by Royal Road, but the truth is only known to the attacker. Due to the our research, we have divided these into “Royal Road Samples” and “Related Samples”. However, they are treated the same in the specific case studies below.

And Royal Road is shared among various attack groups believed to belong to China. Specifically, it is believed to be used by the following attack groups. The attack group alias is written for reference. Strictly speaking, these can be different. For example, TA428 and Pirate Panda are not exactly equivalent.

  1. Temp.Tick (BRONZE BUTLER, RedBaldKnight)
  2. Temp.Conimes (Goblin Panda, Cycldek)
  3. Temp.Periscope (Leviathan, APT40)
  4. Temp.Trident (Dagger Panda, IceFog)
  5. Tonto (Karma Panda, CactusPete, LoneRanger)
  6. TA428 (Pirate Panda)
  7. Rancor

Also, we categorized the various characteristics of the RTF files used by these groups and showed what they have in common.


It’s been a year since we introduced Royal Road. In the meantime, the RTF file, believed to have been generated by Royal Road, has been used many times in targeted attacks, and several updates have been observed. First of all, we will introduce the updates.

The RTF file generated by Royal Road contains encoded malware. It is decoded by Shellcode after exploit. In our previous blog, we introduced the following 5 encodings.

  1. 4D 5A 90 00 (not encoded)
  2. F2 A3 20 72
  3. B2 A6 6D FF
  4. B0 74 77 46
  5. B2 5A 6F 00

Many of the RTF files we observed in 2020 used the 3rd and 4th encodings. However, a few samples used the new encodings. The following 2 encodings.

  1. A9 A4 6E FE

This encoding can be decoded with code like the following:

dec_data = []

for i in range(len(enc_data)):
    dec_data.append(((int.from_bytes(enc_data[i],  "little") ^ 0x7b) + 0x7b) % 256)
  1. 94 5F DA D8

This encoding can be decoded with code like the following:

dec_data = []
xor_key = 1387678300

for i in range(len(enc_data)):
    for _ in range(7):
        x0 = (xor_key & 0x20000000) == 0x20000000
        x1 = (xor_key & 8) == 8
        x2 = xor_key & 1
        x3 = 1 + (x0 ^ x1 ^ x2)
        xor_key = (xor_key + xor_key) + x3
    dec_data.append(int.from_bytes(enc_data[i], "little") ^ (xor_key % 256))

Our tool for decrypting Royal Road encoded object is already available on GitHub. It also supports the above new encodings.


New Attack Groups

As we mentioned earlier, several attack groups use Royal Road. The following eight attack groups have been observed to use Royal Road (including both Royal Road Samples and Related Samples) during 2020.

  1. Temp.Conimes
  2. Tonto
  3. TA428
  4. Naikon
  5. Higaisa
  6. Vicious Panda
  7. FunnyDream
  8. TA410

Of these, we have already reported on 1-3 attack groups in our previous blog. Temp.Conimes used NewCore RAT to attack Vietnamese organizations. Tonto used Bisonal to attack organizations in East Asia such as Russia.

And the TA428 was also particularly active, using PoisonIvy, Cotx RAT, Tmanger, and nccTrojan to attack East Asian organizations such as Mongolia. We will not cover these individual cases here, but if you are interested, see the IOC chapter. For TA428, the paper [2] and blogs [3][4][5] are available from NSJ (NTT Security Japan). Please refer to that.

For Naikon, CheckPoint Research reported [6], but unfortunately, we could not observe this. Therefore, in the following, we will introduce attack cases related to Royal Road for four groups (5-8).


Higaisa is an attack group that seems to have been active since at least around 2016. It is primarily targeted at North Korean-related organizations and is believed to be aimed at stealing information using AttackBot, PIZ Stealer, and Gh0st RAT.

The blogs have been written by Tencent and Positive Technologies so far [7][8][9], and are attributed to (South) Korea. However, NSJ’s paper [10] showed a connection with Ghost Dragon [11] and PKPLUG [12], and it was reported that it might belong to China.

We observed an attack by Higaisa on Royal Road in March 2020.

The malware executed by the Royal Road RTF was AttackBot. AttackBot is a downloader that has been used by Higaisa since at least April 2018.

Vicious Panda

Vicious Panda is an attack group reported by CheckPoint Research in March 2020 [13]. It is said to belong to China and targets East Asia such as Russia, Mongolia, and Ukraine.

We observed an attack on the Royal Road by Vicious Panda in March 2020.

It has been reported to execute malware similar to Enfal and BYEBY.


FunnyDream is an attack group that is said to have been active since around 2018. It is said to belong to China and targets Southeast Asia such as Vietnam and Malaysia. FunnyDream uses Chinoxy and FunnyDream Backdoor. BitDefender has published a detailed report [14] on FunnyDream.

We observed an attack by FunnyDream from March to May 2020.

Chinoxy is a RAT that has been used by FunnyDream since around 2018. It decoded the config using two numeric data and communicates with the C&C server using its original protocol using Blowfish.


TA410 is an attack group that is said to have been active since around 2016. It is said to belong to China and is suspected to be related to APT10. The report has been published by Proofpoint [15][16][17] and is mainly targeted at public sector in the US. It uses malware called LockBack and FlowCloud.

We observed an attack by TA410 in October 2020.

FlowCloud is a RAT reported by Proofpoint in June 2020. FlowCloud has been reported to be v4 and v5, but the FlowCloud we observed at this time was similar to v4.

Attack case against Japan

In addition to the four attack groups shown so far (Higaisa, Vicious Panda, FunnyDream, TA410), attacks that appear to be related to Royal Road have been observed. Among them, we will introduce an example of attacks on Japan. We are not able to identify which attack group made this attack. If you have any knowledge about it, please share it with us…

The attack on Japan took place in November 2020. The attack began with 2 RTF files attached to the email.

These RTF files did not contain an 8.t object, however did contain an associated object. This is the malware encoded by the 4th (B0 74 77 46) encoding shown above.

The overall picture of the attack is as follows.

The malware executed was an unknown RAT. We call this XLBug RAT because of the characteristics left in this RAT. The RAT held information such as C&C server encoded by Base64 and XOR.

The following commands are implemented in XLBug RAT.

The naming convention and encoding of the encoded object contained in the RTF are similar to those of the TA428. However, we could not say that this was a TA428 attack.


In the previous blog, we summarized the characteristics of attack groups that use Royal Road. We used it to divide the attack groups into two groups. However, by 2020, those characteristics are almost meaningless. It has been standardized or deleted. It’s not as easy to group as it used to be. In the first place, the groups sharing Royal Road should be close. We do not classify further, but if you have any comments please let us know.

Yara Rule

The GitHub repository we shared in the previous blog is still being updated.



The IOC sheet shared in the previous blog is still being updated.



The tool used by Royal Road to decrypt encoded object is still being updated.



The attacks using Royal Road have decreased compared to 2019, but are still ongoing. There are many cases of attacks by TA428 and Tonto, but other attacks by different attack groups (Higaisa, Vicious Panda, FunnyDream, TA410) have also been observed.

The attacks on Japan have also been observed and we were unable to identify this with a known attack group. The use of Royal Road by these unknown attack groups is expected to continue.

In addition to Royal Road, there are other cases, such as the Tmanger family, that appear to share tools among multiple targeted attack groups. We should continue to pay close attention to these tool sharing cases.


“nao_sec” is an independent research team that does not belong to any company. Individuals belong to each company and engage in research, but the activities of nao_sec still maintain their independence from each company. We are grateful to all of you who cooperated with our research activities every day.


[1] nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
[2] NTT Security Japan, “Operation LagTime IT: colourful Panda footprint”, https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf
[3] NTT Security Japan, “Panda’s New Arsenal: Part 1 Tmanger”, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger
[4] NTT Security Japan, “Panda’s New Arsenal: Part 2 Albaniiutas”, https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas
[5] NTT Security Japan, “Panda’s New Arsenal: Part 3 Smanager”, https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager
[6] CheckPoint Research, “Naikon APT: Cyber Espionage Reloaded”, https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
[7] Tencent, “APT攻击组织”黑格莎(Higaisa)”攻击活动披露”, https://s.tencent.com/research/report/836.html
[8] Tencent, ““Higaisa(黑格莎)”组织近期攻击活动报告”, https://s.tencent.com/research/report/895.html
[9] Positive Technologies, “COVID-19 и новогодние поздравления: исследуем инструменты группировки Higaisa”, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/covid-19-i-novogodnie-pozdravleniya-issleduem-instrumenty-gruppirovki-higaisa/
[10] NTT Security Japan, “Crafty Panda 標的型攻撃解析レポート”, https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report
[11] Cylance (BlackBerry), “The Ghost Dragon”, https://blogs.blackberry.com/en/2016/04/the-ghost-dragon
[12] Palo Alto Networks, “PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia”, https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/
[13] CheckPoint Research, “Vicious Panda: The COVID Campaign”, https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
[14] BitDefender, “A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions”, https://labs.bitdefender.com/2020/11/a-detailed-timeline-of-a-chinese-apt-espionage-attack-targeting-south-eastern-asian-government-institutions/
[15] Proofpoint, “LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards”, https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks
[16] Proofpoint, “LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs”, https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals
[17] Proofpoint, “TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware”, https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new