Exploit Kit Uses Flash Vulnerabilities

Thursday, August 6, 2015 @ 08:08 AM gHale

The new version of the RIG Exploit Kit leverages Flash vulnerabilities, mainly two Zero Days discovered last month.

Once infected through these exploits and others, systems end up contaminated with various malicious agents, the most common one, in 70 percent of the cases, being the Tofsee spam bot, said researchers at Trustwave.

Flash Zero Days Abound
Espionage Group Leverages Flash Zero Day
Adobe Patches Flash Zero Day
Adobe Fixes Flash Player Vulnerabilities

As for the source of the infection, Trustwave researchers said “90 percent of the traffic flowing into the various campaigns of the RIG exploit kit were a result of (malicious ads).”

By using the malicious ads, attackers can hit suspicious users like those people who regularly avoid shady websites.

Because malicious ad campaigns can end up delivered through popular websites like Yahoo, CBS and others, victims don’t even have to go out of their comfort zone when navigating the Web to become a victim.

Trustwave researchers said the 3.0 version of the RIG Exploit Kit “attempted to infect 3.5 million machines and succeeded in infecting 1.25 million machines, meaning on average 27,000 infected machines per day.”

That level of infection is a jump over version 2.0, especially knowing the source code leaked and 3.0 uses a similar infrastructure without major changes to its 3-layer system consisting of proxy servers, VDS tunnels, and a backend panel for controlling the exploitation campaigns.

Additionally, to prevent future leaks of its source code, RIG developers have also taken precautionary measures to stop resellers from accessing any of the kit’s source code.