Chemical Safety Incidents
Exploit Kit Leverages Flash Zero Day
Wednesday, June 1, 2016 @ 02:06 PM gHale
It should be no surprise, but a just-patched Adobe Flash Player vulnerability is now a part of a new malvertising campaign that redirects users to the Angler exploit kit (EK), researchers said.
The campaign relies on domain shadowing and professional-looking fake ads sent to ad networks and displayed on legitimate websites, said researchers at Malwarebytes.
In addition, this is a highly targeted attack, serving the malicious code conditionally and redirecting users to the Angler EK after performing a series of checks otherwise known as fingerprinting.
One of the key elements to the program is Angler is taking advantage of the Zero Day flaw in Adobe Flash Player that ended up patched May 12. Attackers leverage the vulnerability via specially crafted Office documents and an exploit for this vulnerability also went into the Magnitude and Neutrino EKs last week.
In addition, the ads in this campaign are typically clean, meaning they won’t raise suspicion when someone tries to verify them, said Malwarebyte’s Jérôme Segura in a blog post.
Fingerprinting ends up used to ensure only specific victims will end up redirected to Angler, and the EK leverages the Flash exploit to drop the CryptXXX ransomware to the compromised machines. The bad guys automated the infection chain, meaning it doesn’t require user interaction, but only the victim navigates to a website where the malicious ad is appearing.
Researchers said the campaign is using a new redirection mechanism, the programmatic marketing platform Rocket Fuel’s (rfihub[.]com), a change noticed by Proofpoint researchers in early May.
The switch was the result of increased scrutiny on the DoubleClick redirector and resulted in the exploit kit URL launching in an encrypted manner, making attack detection more difficult.
The folks behind this campaign approached numerous ad platforms, including Rocket Fuel, PLYmedia, Zedo, AppNexus, ShareThrough, Rubicon, and DoubleClick to inadvertently serve malicious ad banners. The top 10 affected websites include dailymotion.com, kijiji.ca, vodlocker.com, answers.com, cda.pl, cbssports.com, m.mlb.com, legacy.com, thechive.com, and cbs.com.