Angler Exploit Kit Updates Zero-Day Exploits For Adobe
When the Blackhole exploit kit closed its final chapter after the arrest of its creator and maintainer Paunch, questions arose about which kit would rise up as its successor. The answer is seemingly here: Angler exploit kit.
The conclusion stems from the constant updating of the kit with a bunch of zero-day exploits for Adobe Flash Player. Zero-day refers to a hole in software that is unknown to the vendor. Researchers at Cisco’s Talos group published a report on the most recent Angler Flash zero-day (CVE-2015-0311), which was discovered in the kit by French researcher Kafeine.
Nick Biasini from Cisco said that 1,800 domains have been compromised by this exploit, and have been used by five IP addresses:
“These domains are associated with the landing page and exploits,” Biasini said. “None of the actual root domains appear to be compromised and are legitimately registered to owners.”
The latest Angler/Flash campaign reached its peak on January 28 and 29, with almost 1,400 infections, before it tapered off two days later.
“There are enough of these domains that some of them are only seen once before being abandoned. The majority of the compromised domains are registered through GoDaddy and it appears that 50+ accounts have been compromised,” he said. “Many of these accounts control multiple domains with some controlling 45+ unique domains.”
Cisco published a sample of sub-domains involved in these attacks that were registered to one domain, and resolved to one IP address. Another set of sub-domains acts as the initial redirection page.
The attackers use malicious online advertisements to serve the exploits, by pointing to the infected sub-domains. These sites then redirect to another sub-domain, serving as the landing page and either Flash or Microsoft Silverlight exploits, which are also included in the Angler exploit kit.
“This is another example of how Angler Exploit Kit continues to differentiate itself. It changes and evolves on a constant basis producing new variation on the existing exploits as well as providing enough customization on the recent vulnerability (CVE-2015-0311) to effectively avoid reliable detection,” Biasini said. “If the first month of 2015 is any indication, the Angler Exploit Kit could have a big year.”
Kafeine spotted the Flash zero-day exploit code in Angler exploit kit. It was installing click-fraud malware “Bedep,” which is a signature malware of Angler. Further analysis revealed that the zero-day exploit could even inject malware into users’ browsers.
Adobe released a patch for customers who had enabled auto-update for Flash on the desktop before releasing an out-of-band patch two days later.