Sweet Orange Web Exploit Kit

Aamir Lakhani wrote a very interesting article on a malware exploitation kit known as Sweet Orange. It is becoming very popular in underground markets and possibly the next Black Hole. The original article can be found HERE

Sweet Orange is a popular exploit kit making it rounds as one of the latest and most popular exploit kits. It can affect the latest Windows operating systems, including Windows 8.1 and Windows 7. It can also exploit newer versions of Internet Explorer, Firefox, and Google Chrome. According to Webroot, “What’s particularly interesting about the Sweet Orange web malware exploitation kit is that just like the Black Hole exploit kit, its authors are doing their best to ensure that the security community wouldn’t be able to obtain access to the source code of the kit, in an attempt to analyze it. They’re doing this, by minimizing the advertising messages posted on invite-only cybercrime-friendly web communities, and without offering any specific details, demos or screen shots unless the potential buyer directly contacts the seller and has a decent reputation within the cybercrime ecosystem”.




You can see from the screenshots, the malware appears to have Russian origins, or at least some of the language is presented in what appears to be a form of Russian. The malware has morphing abilities as well as the ability to evade and turn off sandbox protection. Additionally, it tries to stop and disable active anti-virus and blocks network and Internet access to anti-virus vendors to make it more difficult for users to detect and remove the rootkit.

The rootkit may contain additional malware that could be performing click fraud or other types of advertisements as well. Once installed, the malware will attempt to steal login credentials from banks, email sites, and other valuable information.

The exploit kit has been difficult to track. Authors are trying to keep a low profile and have not released the source code. Currently, they are renting the exploit kit to known hackers on underground boards by invite only. The current rate to rent the exploit kit is approx. $1400 to rent the exploit kit for a week. They are guaranteeing a minimum amount of users. You can also by the exploit kit for $2500.

Sweet Orange initially appeared in 2012, but pretty much disappeared until recently and has been observed on honeypots and sandboxes. The attack normally works by malware downloading an initial payload thru a compromised, but legitimate website that has been compromised. The compromised site redirects the user to the landing site, where the malicious root kit is delivered to the victim.


Once the root kit is delivered to the victim, an attacker can login and remotely use the control panel to control, spy, and steal information from the compromised machine. It will be interesting to see now that Blackhole is not being updated regularly, how popular Sweet Orange will be in the attacker community.s

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.