KaiXin Exploit Kit

KaiXin is an exploit kit, first identified in 2012. KaiXin has been delivered via banner ads and JavaScript injection on compromised websites.
KaiXin masquerades as a statistics tracking script and uses URL encoding to trivially obfuscate the injected script.

Threat ID:: CC-1863
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 18 December 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

The KaiXin injected script prevents the malicious iFrame from being delivered if the requesting user-agent originates from an iOS or Android device. It also saves a dictionary in local browser storage with the current date and number of times the script has been executed to prevent the exploit chain from executing more than once per day and more than five times total.

The initial KaiXin landing page, which has no obfuscation, contains logic for handling different browsers. These landing pages are used to install malware onto a user's device.

Threat updates

Date	Update
8 Aug 2018	KaiXin is currently delivering the Gh0st Remote Access Trojan.

Remediation steps

Type	Step
	Ensure all software is kept up-to-date, including application of regular monthly patches The use of a robust security solution including the use of an intrusion detection and intrusion prevention system Up-to-date anti-virus software providing the latest malware signatures Educating staff on the dangers of clicking on banners

Last edited: 17 February 2020 11:33 am