Security researchers have observed an increase in exploit kit (EK) activity in the beginning of this year, coupled with a series of mutations, which include spreading more malware, Heimdal Security reports.
In a recent blog post, the company’s Andra Zaharia explains that EKs such as Neutrino, RIG and Angler have registered a substantial spike in activity recently, and that they are currently focused on exploiting popular software such Adobe Flash Player, Reader, and Acrobat as their attack vectors.
The most recent campaign observed by Heimdal Security involves the Neutrino EK and was launched on January 5, 2016. In addition to targeting Adobe Flash Player vulnerabilities for distribution, the EK also uses Google Blackhat SEO poisoning and has started to spread new malware, including ransomware from the Kovter class and from the Cryptolocker 2 family.
According to the security firm, the campaign involves injecting malicious code into legitimate websites, which redirects victims to a selection of dedicated domains connected to new servers controlled by the attackers. The malicious payloads that Neutrino serves to its victims are located on these new servers, where a series of top-level .top domains are also hosted.
The cybercriminals behind this campaign are focused on exploiting outdated Adobe Flash Player installations to infect victims’ systems with ransomware. Furthermore, the payload delivery process appears to have improved, as it now includes various tests to determine whether the browser and Flash Player plugin are up to date and if a debugger is present in the memory.
In addition to determining the Flash Player version number, the EK also checks for PhantomJS, node.js or Rhino and mainly abuses the CVE-2015-7645 vulnerability in Flash Player plugin. The security flaw was added to the Angler and Nuclear EKs in early November, less than two weeks after Adobe released a patch for it, after learning that Russia-linked Pawn Storm threat group was exploiting it in attacks aimed at Foreign Affairs Ministries.
The security firm also observed an increase in the activity of Angler and RIG EKs, with the latter abusing known vulnerabilities in Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight and using Google Blackhat SEO poisoning to spread malware via drive-by attacks. The RIG campaign is main focused at infecting outdated Microsoft Windows PCs through serving malicious URLs in Google search results, Zaharia said.
Some of the infected URLs analyzed by Heimdal Security were hosted on a server at the IP address 192.185.21 [.] 183, which is considered to be entirely harmful. According to the researchers, the server hosts not only drive-by exploit kits, but also tier-1 gateways to the C & C servers, phishing websites and other malicious content.
The EK delivers payloads that include an infostealer from the Pony family and the TofSee Trojan, the latter pointing to an IP address in Scandinavia. The RIG exploit version 3 has reached an infection success rate of 56 percent on Windows 7 PCs with Internet Explorer 9 mainly by exploiting the CVE-2015-5119 (CVSS Score: 10) and CVE-2015-5122 (CVSS Score: 10) vulnerabilities in Adobe Flash Player.
The CVE-2015-5119 zero-day leaked in early July after a hacker stole 400GB of data from the systems of surveillance software maker Hacking Team, and Adobe immediately patched it, though it was already exploited in the wild. The CVE-2015-5122 zero-day flaw was discovered one week later in the same leaked data, along with another zero-day, namely CVE-2015-5123.
To stay protected, users are advised to update their Flash Player installations as soon as possible and to ensure that all of their software is up to date at all times. Additionally, they should consider a multi-layered protection system, which increases the chances that security products can discover and prevent malware from infiltrating their systems.