Security Experts:

Angler EK Exploits Recently Patched Flash Bug to Deliver Bedep

The developers of the notorious Angler exploit kit are very good at integrating recently patched or zero-day vulnerabilities. Researchers reported on Monday that the cybercriminals have already added an exploit for a Flash Player flaw fixed by Adobe just two weeks ago.

According to FireEye, the security bug in question is a memory corruption (CVE-2015-3090) vulnerability discovered and reported by Chris Evans of Google Project Zero. The flaw was patched by Adobe on May 11 with the release of Flash Player 17.0.0.188.

At the time when it released the update, Adobe didn’t seem to be aware of any attacks in which the vulnerabilities fixed in Flash Player 17.0.0.188 had been exploited. FireEye says it has now notified Adobe and provided the company access to the exploit.

“The exploit for CVE-2015-3090 involves a race condition in the shader class, in which asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems,” FireEye noted in a blog post.

The French security researcher known as Kafeine has confirmed that an exploit for CVE-2015-3090 has been added to Angler. The expert noted that a fileless thread is used to push Bedep malware and an ad fraud module onto infected systems. It’s not uncommon for the Angler exploit kit to deliver Bedep through Flash Player vulnerabilities, including zero-days.

FireEye published on Monday a detailed analysis of this Bedep attack. According to experts, this is a highly active malvertising operation that involves not just Angler, but several other popular exploit kits as well, including RIG, Magnitude, and Nuclear.

Once it’s infected with the Bedep Trojan, a computer silently engages in ad fraud activity, making a high volume of requests to rogue ad networks. These networks eventually take victims to a host designed to redirect them to the exploit kit. The exploit kit then re-infects the system with malware and the process is repeated, FireEye said.

In addition to the fast integration of exploits, Angler made numerous headlines over the past period thanks to its innovative features. The list includes fileless infections, the use of domain shadowing to evade detection, and breaking the referer chain in malvertising campaigns to make tracking more difficult.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.