Sweet Orange

Short bio

Sweet Orange is a type of exploit kit, or in other words, malicious code found on compromised websites with the intention to find vulnerabilities on a computer by which said computer can be infected. In addition to compromised websites, they also operate deliberate traps that users get redirected to. Sweet Orange also uses malvertising, where malicious advertisements are placed on legitimate websites.

History

Sweet Orange is very likely of Russian origin and was first described in 2012, offered for hire on cybercrime-related forums. It targets users surfing with Internet Explorer, Chrome, and Firefox. Using vulnerabilities in both the browsers and plugins, the visitor might be using Silverlight, Adobe Flash, or Java. Sweet Orange promised an infection rate of 25% to its customers, where other exploit kits are estimated to have a success rate of around 10%. This quickly made it one of the more popular exploit kits.

Common infection method

No user action is necessary to get infected by these exploit kits. Both known and zero-day vulnerabilities are used. A zero-day vulnerability is a vulnerability that has not been patched yet. The exploit kit checks if there is vulnerable software on the visitor’s computer and uses that as a way to drop the malware payload.

Associated families

Sweet Orange has been known to push the Kovter (Ad Fraud) malware, the Zbot Trojan (Zeus), and the Qakbot Infostealer. But since exploit kits are just a method of infection and they are for hire, you can’t rule anything out.

Remediation

The exploit kit or the redirection to its landing page needs to be removed from compromised sites. Landing pages and SEO traps that redirect to them should be taken down by the providers.

Aftermath

What is necessary to clean up the computer after being infected by an exploit kit depends on the kind of malware that got dropped by the exploit kit. This can range from ad-clickers to ransomware. In some cases, it may be necessary to reformat the computer and change all your passwords.

Avoidance

Site owners should keep their website software updated and visitors should use the latest versions of their browsers and plugins. It also helps to keep the operating system updated. Doing so would only limit the risk, since they would still be vulnerable to zero-day exploits. There are software solutions available against zero-day exploits that will also stop known exploits.

Screenshots

RELATED THREATS

EXPLOIT KITS

Nuclear

Short bio Exploit kits are efficient and effective tools for cybercriminals to distribute malware. Exploit kits include exploits for multiple vulnerabilities...

CONTINUE READING
EXPLOIT KITS

HanJuan

Short bio HanJuan is a stealthy exploit kit specialized in exploiting vulnerabilities in Internet Explorer, Silverlight, and Adobe Flash Player. Their...

CONTINUE READING
EXPLOIT KITS

Fiesta

Short bio Fiesta is an exploit kit that checks the user’s browser and the versions of the plugins he is using....

CONTINUE READING
EXPLOIT KITS

Angler

Short bio Angler was one of the leading exploit kits used by cybercriminals to distribute malware ranging from ransomware and banking...

CONTINUE READING
MALWARE

Trojan dropper

Short bio Downloaders and droppers are helper programs for various types of malware such as Trojans and rootkits. Usually they are implemented...

CONTINUE READING
Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams