In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used. For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.
Here are some of the more well-known names, and what’s happened to them recently.
ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.
Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.