Exploit Kit Leverages Flash Zero Day

Wednesday, June 1, 2016 @ 02:06 PM gHale


It should be no surprise, but a just-patched Adobe Flash Player vulnerability is now a part of a new malvertising campaign that redirects users to the Angler exploit kit (EK), researchers said.

The campaign relies on domain shadowing and professional-looking fake ads sent to ad networks and displayed on legitimate websites, said researchers at Malwarebytes.

RELATED STORIES
Exploit Kit Hides with Tor
Hacking Costs on Decline
Patching Tool Under Scrutiny
Corporate iOS Devices Targeted

In addition, this is a highly targeted attack, serving the malicious code conditionally and redirecting users to the Angler EK after performing a series of checks otherwise known as fingerprinting.

One of the key elements to the program is Angler is taking advantage of the Zero Day flaw in Adobe Flash Player that ended up patched May 12. Attackers leverage the vulnerability via specially crafted Office documents and an exploit for this vulnerability also went into the Magnitude and Neutrino EKs last week.

In addition, the ads in this campaign are typically clean, meaning they won’t raise suspicion when someone tries to verify them, said Malwarebyte’s Jérôme Segura in a blog post.

https://blog.malwarebytes.org/cybercrime/2016/05/new-wave-of-malvertising-leverages-latest-flash-exploit/

However, as soon as specific conditions such as a proper referer, user-agent, screen resolution, and other parameters end up met, the user gets the rogue version of the JavaScript.

Fingerprinting ends up used to ensure only specific victims will end up redirected to Angler, and the EK leverages the Flash exploit to drop the CryptXXX ransomware to the compromised machines. The bad guys automated the infection chain, meaning it doesn’t require user interaction, but only the victim navigates to a website where the malicious ad is appearing.

Researchers said the campaign is using a new redirection mechanism, the programmatic marketing platform Rocket Fuel’s (rfihub[.]com), a change noticed by Proofpoint researchers in early May.

The switch was the result of increased scrutiny on the DoubleClick redirector and resulted in the exploit kit URL launching in an encrypted manner, making attack detection more difficult.

The folks behind this campaign approached numerous ad platforms, including Rocket Fuel, PLYmedia, Zedo, AppNexus, ShareThrough, Rubicon, and DoubleClick to inadvertently serve malicious ad banners. The top 10 affected websites include dailymotion.com, kijiji.ca, vodlocker.com, answers.com, cda.pl, cbssports.com, m.mlb.com, legacy.com, thechive.com, and cbs.com.