Users are directed to exploit kits in two primary
ways: compromised websites and malvertising. Adversaries will place a
link to an exploit kit landing page into a malicious ad or a compromised
website, or they will use an intermediate link, known as a broker. (These links, positioned between compromised websites and
exploit kit servers, are also referred to as “gates.”) The broker
serves as an intermediary between the initial redirection and the actual
exploit kit that delivers the malware payload to users.
latter tactic is becoming more popular as attackers find they must move
faster to maintain their operational space and evade detection. Brokers
allow adversaries to switch quickly from one malicious server to
another without changing the initial redirection. Because they don’t
need to constantly modify websites or malicious ads to start the
infection chain, exploit kit operators can carry out longer campaigns.